Debian Bug report logs - #281665
[CAN-2004-1051] Bash scripts run via Sudo can be subverted and sudo 1.6.8p2 released

version graph

Package: sudo; Maintainer for sudo is Bdale Garbee <bdale@gag.com>; Source for sudo is src:sudo.

Reported by: Hideki Yamane <henrich@samba.gr.jp>

Date: Wed, 17 Nov 2004 04:33:05 UTC

Severity: grave

Tags: patch, security, upstream, woody

Fixed in version sudo/1.6.8p3-1

Done: bdale@gag.com (Bdale Garbee)

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#281665; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Hideki Yamane <henrich@samba.gr.jp>:
New Bug report received and forwarded. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Hideki Yamane <henrich@samba.gr.jp>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: [vulnerability] Bash scripts run via Sudo can be subverted and sudo 1.6.8p2 released
Date: Wed, 17 Nov 2004 13:22:46 +0900
Package: sudo
Severity: grave
Tags: security, woody, sarge, sid
Justification: user security hole

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear sudo maintainer,

 Maybe you know about this, but there is no post in BTS, so I'll send 
 it to you as a notice.

 Vulnerability was found in sudo. sudo's environment sanitizing could 
 allow a malicious user with permission to run a script that utilized 
 the bash shell to run arbitrary commands.
 For more datail, see http://www.courtesan.com/sudo/alerts/bash_functions.html

 It says affected version is "All versions prior to 1.6.8p2", so all of 
 woody/sarge/sid sudo package are affected, and says "The bug is fixed 
 in sudo 1.6.8p2" but no pointer or patch is available. So you should 
 check diffs via CVS...
 

 Please check it.

- -- 

 Hideki Yamane     henrich @ samba.gr.jp/iijmio-mail.jp


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBmtIWIu0hy8THJksRAuxNAJ9xllhiHY0+EbT/9F3Sjt71Yd+dHgCglNuw
lRVayB0J98w73npW4I0kq/g=
=qD5s
-----END PGP SIGNATURE-----



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#281665; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Bdale Garbee <bdale@gag.com>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 281665@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: Hideki Yamane <henrich@samba.gr.jp>
Cc: 281665@bugs.debian.org
Subject: Re: Bug#281665: [vulnerability] Bash scripts run via Sudo can be subverted and sudo 1.6.8p2 released
Date: Tue, 16 Nov 2004 23:13:01 -0700
Hideki Yamane <henrich@samba.gr.jp> writes:

>  Please check it.

Thanks.

Bdale



Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#281665; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <muehlenhoff@univention.de>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #15 received at 281665@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <muehlenhoff@univention.de>
To: 281665@bugs.debian.org
Subject: Fix for this vulnerability
Date: Wed, 17 Nov 2004 09:59:18 +0100
[Message part 1 (text/plain, inline)]
Hi,
attached patch adapts the security relevant fixes from
(1.6.8p1->1.6.8p2) for the current sid version.

Cheers,
        Moritz
-- 
Moritz Mühlenhoff  muehlenhoff@univention.de      fon: +49 421 22 232- 0
Development        Linux for Your Business                             
Univention GmbH    http://www.univention.de/      fax: +49 421 22 232-99
[security-sudo-strip-bash-exported-funcs.patch (text/x-patch, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#281665; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Bdale Garbee <bdale@gag.com>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #20 received at 281665@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: Moritz Mühlenhoff <muehlenhoff@univention.de>
Cc: 281665@bugs.debian.org
Subject: Re: Bug#281665: Fix for this vulnerability
Date: Wed, 17 Nov 2004 13:12:55 -0700
Moritz Mühlenhoff <muehlenhoff@univention.de> writes:

> attached patch adapts the security relevant fixes from
> (1.6.8p1->1.6.8p2) for the current sid version.

Thanks, this may help the security team address sarge.  I've packaged 1.6.8p3
for unstable, expect an upload soonest.

Bdale



Reply sent to Bdale Garbee <bdale@gag.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Hideki Yamane <henrich@samba.gr.jp>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #25 received at 281665-close@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: 281665-close@bugs.debian.org
Subject: Bug#281665: fixed in sudo 1.6.8p3-1
Date: Wed, 17 Nov 2004 16:02:19 -0500
Source: sudo
Source-Version: 1.6.8p3-1

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:

sudo_1.6.8p3-1.diff.gz
  to pool/main/s/sudo/sudo_1.6.8p3-1.diff.gz
sudo_1.6.8p3-1.dsc
  to pool/main/s/sudo/sudo_1.6.8p3-1.dsc
sudo_1.6.8p3-1_i386.deb
  to pool/main/s/sudo/sudo_1.6.8p3-1_i386.deb
sudo_1.6.8p3.orig.tar.gz
  to pool/main/s/sudo/sudo_1.6.8p3.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 281665@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 16 Nov 2004 23:23:41 -0700
Source: sudo
Binary: sudo
Architecture: source i386
Version: 1.6.8p3-1
Distribution: unstable
Urgency: high
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description: 
 sudo       - Provide limited super user privileges to specific users
Closes: 236465 263486 271194 281665
Changes: 
 sudo (1.6.8p3-1) unstable; urgency=high
 .
   * new upstream version, fixes a flaw in sudo's environment sanitizing that
     could allow a malicious user with permission to run a shell script that
     utilized the bash shell to run arbitrary commands, closes: #281665
   * patch the sample sudoers to have the proper path for kill on Debian
     systems, closes: #263486
   * patch the sudo manpage to reflect Debian's choice of exempt_group
     default setting, closes: #236465
   * patch the sudo manpage to reflect Debian's choice of no timeout on the
     password prompt, closes: #271194
Files: 
 8c24a067df4378a5c665c68ac580a7c5 567 admin optional sudo_1.6.8p3-1.dsc
 b2293ece1b72d9d360bc6a6b3a588787 583791 admin optional sudo_1.6.8p3.orig.tar.gz
 abaf30e64d48e53e82c18468b524654c 19006 admin optional sudo_1.6.8p3-1.diff.gz
 d7198bcf98ebd91c6ca6cbaace373cfb 158650 admin optional sudo_1.6.8p3-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBm7ZZZKfAp/LPAagRArf1AJ9YA9Xgl7+I45WD1IN290umMNm1WwCfTqRS
NIrKSW6Kfgkyyqaedg0bKXE=
=eB9a
-----END PGP SIGNATURE-----




Changed Bug title. Request was from "J.H.M. Dassen (Ray)" <jdassen@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#281665; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #32 received at 281665@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: 281665@bugs.debian.org
Cc: security@debian.org
Subject: Woody patch for sudo vulnerability CAN-2004-1051
Date: Thu, 18 Nov 2004 13:32:22 +0100
[Message part 1 (text/plain, inline)]
Hi,
attached you find a patch for the sudo vulnerability CAN-2004-1051
resynched for Woody. Note that this includes an additional fix 
introduced in 1.6.8pl3 (stripping CDPATH as well, which was
announced for pl2, but only included in the docs, not in the source
code itself).

Cheers,
        Moritz
[CAN-2004-1051-sudo-strip-bash-functions.patch (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#281665; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #37 received at 281665@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: 281665@bugs.debian.org, security@debian.org
Subject: Re: Woody patch for sudo vulnerability CAN-2004-1051
Date: Thu, 18 Nov 2004 14:48:19 +0100
Thanks!

Moritz Muehlenhoff wrote:
> Hi,
> attached you find a patch for the sudo vulnerability CAN-2004-1051
> resynched for Woody. Note that this includes an additional fix 
> introduced in 1.6.8pl3 (stripping CDPATH as well, which was
> announced for pl2, but only included in the docs, not in the source
> code itself).

It's similar to my patch which is already building.  The maintainer
was informed as well.

Regards,

	Joey

PS: It was me who requested the CVE Id.

-- 
Every use of Linux is a proper use of Linux.  -- Jon 'maddog' Hall



Bug reopened, originator not changed. Request was from "J.H.M. Dassen (Ray)" <jdassen@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: sid Request was from "J.H.M. Dassen (Ray)" <jdassen@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: upstream, patch Request was from "J.H.M. Dassen (Ray)" <jdassen@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#281665; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #48 received at 281665@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: Martin Schulze <joey@infodrom.org>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 281665@bugs.debian.org, security@debian.org
Subject: Re: Woody patch for sudo vulnerability CAN-2004-1051
Date: Wed, 24 Nov 2004 14:28:05 +0000
On Thu, Nov 18, 2004 at 02:48:19PM +0100, Martin Schulze wrote:

> Moritz Muehlenhoff wrote:
> > Hi,
> > attached you find a patch for the sudo vulnerability CAN-2004-1051
> > resynched for Woody. Note that this includes an additional fix 
> > introduced in 1.6.8pl3 (stripping CDPATH as well, which was
> > announced for pl2, but only included in the docs, not in the source
> > code itself).
> 
> It's similar to my patch which is already building.  The maintainer
> was informed as well.

  It looks like there's some debug statement still live in the
 uploaded sudo version:

+           printf ("Looking at %s...\n", *ep);


  This gives me lots of diagnostic information which is irritating:

steve@fry:~/f$ sudo -s
Looking at PWD=/home/steve/f...
Looking at PS1=\u@\h:\w\$ ...
Looking at USER=steve...
Looking at HISTCONTROL=ignoredups...
Looking at
LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.jpg=01;35:*.jpeg=01;35:*.png=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.mpg=01;35:*.mpeg=01;35:*.avi=01;35:*.fli=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.ogg=01;35:*.mp3=01;35:...
Looking at MAIL=/var/mail/steve...
Looking at SSH_CLIENT=212.20.241.33 23791 22...
Looking at LOGNAME=steve...
Looking at SHLVL=1...
Looking at SHELL=/bin/bash...
Looking at HOME=/home/steve...
Looking at TERM=xterm...
Looking at
PATH=/home/steve/bin:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games:/usr/sbin...
Looking at SSH_TTY=/dev/pts/0...
Looking at _=/usr/bin/sudo...
Looking at OLDPWD=/home/steve...


Steve
--



Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#281665; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #53 received at 281665@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Steve Kemp <skx@debian.org>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 281665@bugs.debian.org, security@debian.org
Subject: Re: Woody patch for sudo vulnerability CAN-2004-1051
Date: Wed, 24 Nov 2004 16:07:14 +0100
Steve Kemp wrote:
> On Thu, Nov 18, 2004 at 02:48:19PM +0100, Martin Schulze wrote:
> 
> > Moritz Muehlenhoff wrote:
> > > Hi,
> > > attached you find a patch for the sudo vulnerability CAN-2004-1051
> > > resynched for Woody. Note that this includes an additional fix 
> > > introduced in 1.6.8pl3 (stripping CDPATH as well, which was
> > > announced for pl2, but only included in the docs, not in the source
> > > code itself).
> > 
> > It's similar to my patch which is already building.  The maintainer
> > was informed as well.
> 
>   It looks like there's some debug statement still live in the
>  uploaded sudo version:
> 
> +           printf ("Looking at %s...\n", *ep);
> 
> 
>   This gives me lots of diagnostic information which is irritating:

*sigh*  I really hate this.  The sad thing is that when you get blind
yourself and don't notice this after you've looked at the code too long.
I'm building an update now.  Sorry for that!

Regards,

	Joey

-- 
WARNING: Do not execute!  This call violates patent DE10108564.
http://www.elug.de/projekte/patent-party/patente/DE10108564

wget -O patinfo-`date +"%Y%m%d"`.html http://patinfo.ffii.org/



Tags removed: sarge Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to bdale@gag.com (Bdale Garbee):
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Hideki Yamane <henrich@samba.gr.jp>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #60 received at 281665-done@bugs.debian.org (full text, mbox):

From: bdale@gag.com (Bdale Garbee)
To: 281665-done@bugs.debian.org
Subject: fixed
Date: Sat, 26 Mar 2005 22:10:03 -0700 (MST)
I believe that with 1.6.6-1.3 now in unstable, that this is no longer an issue.

Bdale



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 03:55:17 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.