Debian Bug report logs - #342948
CVE-2005-4158: Insecure handling of PERLLIB PERL5LIB PERL5OPT environment vars

version graph

Package: sudo; Maintainer for sudo is Bdale Garbee <bdale@gag.com>; Source for sudo is src:sudo.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Sun, 11 Dec 2005 21:48:02 UTC

Severity: important

Tags: security

Fixed in version sudo/1.6.8p12-1

Done: Bdale Garbee <bdale@gag.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Bdale Garbee <bdale@gag.com>:
Bug#342948; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2005-4158: Insecure handling of PERLLIB PERL5LIB PERL5OPT environment vars
Date: Sun, 11 Dec 2005 22:38:40 +0100
Package: sudo
Severity: important
Tags: security

Quoting from http://www.sudo.ws/sudo/alerts/perl_env.html :
| The PERL5LIB and PERLLIB environment variables can be used to provide a list of
| directories in which to look for perl library files before the system directories are
| searched. It is similar in concept to the LD_LIBRARY_PATH environment variables, only for
| perl. These variables are ignored if "tainting" is enabled (via the -T switch). The
| PERL5OPT environment variable specifies additional command line options to be passed to
| the script which may modify its behavior.
|
| Malicious users with sudo access to run a perl script can use these variables to include
| and execute their own library file with the same name as a system library file that is
| included (via the "use" or "require" directives) by the perl script run via sudo.

It's been fixed upstream in 1.6.8p12.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)



Information forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#342948; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to team@security.debian.org, Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #10 received at 342948@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Debian Bug Tracking System <342948@bugs.debian.org>
Subject: Re: Bug#342948: CVE-2005-4158: Insecure handling of PERLLIB PERL5LIB PERL5OPT environment vars
Date: Mon, 12 Dec 2005 17:26:46 +0100
Moritz Muehlenhoff wrote:
> Package: sudo
> Severity: important
> Tags: security
> 
> Quoting from http://www.sudo.ws/sudo/alerts/perl_env.html :
> | The PERL5LIB and PERLLIB environment variables can be used to provide a list of
> | directories in which to look for perl library files before the system directories are
> | searched. It is similar in concept to the LD_LIBRARY_PATH environment variables, only for
> | perl. These variables are ignored if "tainting" is enabled (via the -T switch). The
> | PERL5OPT environment variable specifies additional command line options to be passed to
> | the script which may modify its behavior.
> |
> | Malicious users with sudo access to run a perl script can use these variables to include
> | and execute their own library file with the same name as a system library file that is
> | included (via the "use" or "require" directives) by the perl script run via sudo.
> 
> It's been fixed upstream in 1.6.8p12.

This is true, but it becomes rediculous.

Maintaining a blacklist of environment variables it not a proper approach.

For Perl the above variables are dangerous.

For Python it's PYTHONPATH.

For TeX it's TEXINPUTS.

For Ruby it is...

For....

This list only ends after all languages were checked, and then starts
from the beginning, since probably new possibilities have been created
in the meantime.

Regards,

	Joey

-- 
If nothing changes, everything will remain the same.  -- Barne's Law

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#342948; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #15 received at 342948@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Debian Bug Tracking System <342948@bugs.debian.org>, Debian Security Team <team@security.debian.org>, Bdale Garbee <bdale@gag.com>
Subject: Re: Bug#342948: CVE-2005-4158: Insecure handling of PERLLIB PERL5LIB PERL5OPT environment vars
Date: Mon, 12 Dec 2005 19:03:06 +0100
Martin Schulze wrote:
> > It's been fixed upstream in 1.6.8p12.
> 
> This is true, but it becomes rediculous.

Finally allocated some time to develop a minimal patch.

The attached patch only uses the variables listed in env_check to
be passed to the setuid environment.  This will preserve language
settings by default, but nothing more.

What do people think about this?

Regards,

	Joey

-- 
If nothing changes, everything will remain the same.  -- Barne's Law

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#342948; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #20 received at 342948@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, Debian Bug Tracking System <342948@bugs.debian.org>, Debian Security Team <team@security.debian.org>, Bdale Garbee <bdale@gag.com>
Subject: Re: Bug#342948: CVE-2005-4158: Insecure handling of PERLLIB PERL5LIB PERL5OPT environment vars
Date: Mon, 12 Dec 2005 19:31:19 +0100
[Message part 1 (text/plain, inline)]
Martin Schulze wrote:
> Martin Schulze wrote:
> > > It's been fixed upstream in 1.6.8p12.
> > 
> > This is true, but it becomes rediculous.
> 
> Finally allocated some time to develop a minimal patch.
> 
> The attached patch only uses the variables listed in env_check to
> be passed to the setuid environment.  This will preserve language
> settings by default, but nothing more.

This time with the attachment attached.

Regards,

	Joey

-- 
If nothing changes, everything will remain the same.  -- Barne's Law

Please always Cc to me when replying to me on the lists.
[x (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#342948; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #25 received at 342948@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Martin Schulze <joey@infodrom.org>
Cc: Debian Bug Tracking System <342948@bugs.debian.org>, Debian Security Team <team@security.debian.org>, Bdale Garbee <bdale@gag.com>
Subject: Re: Bug#342948: CVE-2005-4158: Insecure handling of PERLLIB PERL5LIB PERL5OPT environment vars
Date: Wed, 21 Dec 2005 23:55:51 +0100
Martin Schulze wrote:
> The attached patch only uses the variables listed in env_check to
> be passed to the setuid environment.  This will preserve language
> settings by default, but nothing more.
> 
> What do people think about this?

The patch itself looks fine for sid (although HOME, LOGNAME, PATH,
SHELL and USER should be allowed as well, as they're quite crucial,
security-wise clean and enabled for the limited env_reset environment
as well), but I think it's a bit too aggressive for a stable update?

http://www.sudo.ws/sudo/alerts/perl_env.html suggests that environment
sanitising takes only place if explicitely enabled with the -T switch,
but the "-T" isn't present in the getopt like parser in sudo.c and
the sanitising is done unconditionally in env.c.

I guess for Woody and Sarge is would be less intrusive to add
PERLLIB PERL5LIB PERL5OPT into the black list and point out in
the advisory that the use of sudo is only recommended for binaries,
shell and Perl scripts.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#342948; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #30 received at 342948@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Debian Bug Tracking System <342948@bugs.debian.org>, Debian Security Team <team@security.debian.org>, Bdale Garbee <bdale@gag.com>
Subject: Re: Bug#342948: CVE-2005-4158: Insecure handling of PERLLIB PERL5LIB PERL5OPT environment vars
Date: Thu, 22 Dec 2005 09:15:46 +0100
Moritz Muehlenhoff wrote:
> Martin Schulze wrote:
> > The attached patch only uses the variables listed in env_check to
> > be passed to the setuid environment.  This will preserve language
> > settings by default, but nothing more.
> > 
> > What do people think about this?
> 
> The patch itself looks fine for sid (although HOME, LOGNAME, PATH,
> SHELL and USER should be allowed as well, as they're quite crucial,

I consider SHELL problematic and sudo should probably reset it to
a sane default.

> security-wise clean and enabled for the limited env_reset environment
> as well), but I think it's a bit too aggressive for a stable update?

I don't think so anymore.  Also, due to the lack of feedback I've already
built packages and pushed them into the security queue.

> http://www.sudo.ws/sudo/alerts/perl_env.html suggests that environment
> sanitising takes only place if explicitely enabled with the -T switch,
> but the "-T" isn't present in the getopt like parser in sudo.c and
> the sanitising is done unconditionally in env.c.
> 
> I guess for Woody and Sarge is would be less intrusive to add
> PERLLIB PERL5LIB PERL5OPT into the black list and point out in
> the advisory that the use of sudo is only recommended for binaries,
> shell and Perl scripts.

It's a box of pandora.  You can hardly hit all variables.

Bdale, what's your opinion?

Regards,

	Joey

-- 
Given enough thrust pigs will fly, but it's not necessarily a good idea.



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#342948; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Bdale Garbee <bdale@gag.com>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #35 received at 342948@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: Martin Schulze <joey@infodrom.org>, 342948@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@inutil.org>, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#342948: CVE-2005-4158: Insecure handling of PERLLIB PERL5LIB PERL5OPT environment vars
Date: Wed, 28 Dec 2005 15:04:48 -0700
On Thu, 2005-12-22 at 09:15 +0100, Martin Schulze wrote:

> It's a box of pandora.  You can hardly hit all variables.
> 
> Bdale, what's your opinion?

One of the workarounds suggested by upstream in the p12 release
announcement is:

    Alternately, the administrator can add a line to the top of
    sudoers file:

    Defaults        env_reset

    which will reset the environment to only contain the variables
    HOME, LOGNAME, PATH, SHELL, TERM, and USER, also preventing
    this attack.

My inclination for unstable is to just package p12 and upload it as-is.
It might also be reasonable to add the env_reset entry to the suders
file we create if none already exists?  I think I'll do that.  But
forcing a change on already-installed systems of that kind certainly
doesn't make sense.

Bdale




Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#342948; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #40 received at 342948@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Bdale Garbee <bdale@gag.com>
Cc: 342948@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#342948: CVE-2005-4158: Insecure handling of PERLLIB PERL5LIB PERL5OPT environment vars
Date: Thu, 29 Dec 2005 10:17:16 +0100
Bdale Garbee wrote:
> On Thu, 2005-12-22 at 09:15 +0100, Martin Schulze wrote:
> 
> > It's a box of pandora.  You can hardly hit all variables.
> > 
> > Bdale, what's your opinion?
> 
> One of the workarounds suggested by upstream in the p12 release
> announcement is:
> 
>     Alternately, the administrator can add a line to the top of
>     sudoers file:
> 
>     Defaults        env_reset
> 
>     which will reset the environment to only contain the variables
>     HOME, LOGNAME, PATH, SHELL, TERM, and USER, also preventing
>     this attack.
> 
> My inclination for unstable is to just package p12 and upload it as-is.

Ack.  Sounds reasonable.

> It might also be reasonable to add the env_reset entry to the suders
> file we create if none already exists?  I think I'll do that.  But

Yes.

> forcing a change on already-installed systems of that kind certainly
> doesn't make sense.

I'm not quite sure.  That would leave existing systems in a vulnerable
state, even though we have corrected this in woody + sarge (by another
means, though).

A note to NEWS.Debian should be read at  least.

When you've uploaded the sid package, please drop me a line.
I assume that 

Regards,

	Joey

-- 
All language designers are arrogant.  Goes with the territory...
	-- Larry Wall

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#342948; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Justin Pryzby <justinpryzby@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #45 received at 342948@bugs.debian.org (full text, mbox):

From: Justin Pryzby <justinpryzby@users.sourceforge.net>
To: Martin Schulze <joey@infodrom.org>
Cc: 342948@bugs.debian.org
Subject: sudo security patch
Date: Thu, 29 Dec 2005 20:54:59 -0500
Hello Joey,

I was perusing the new queue, and noticed the sudo package there (for
reasons unknown).  I noticed that it closes bug#342948, and at the end
of the buglog, you said: "When you've uploaded the sid package, please
drop me a line.  I assume that " an it ends there.  What did you mean
to say?

-- 
Clear skies,
Justin



Reply sent to Bdale Garbee <bdale@gag.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #50 received at 342948-close@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: 342948-close@bugs.debian.org
Subject: Bug#342948: fixed in sudo 1.6.8p12-1
Date: Fri, 30 Dec 2005 09:10:31 -0800
Source: sudo
Source-Version: 1.6.8p12-1

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:

sudo-ldap_1.6.8p12-1_i386.deb
  to pool/main/s/sudo/sudo-ldap_1.6.8p12-1_i386.deb
sudo_1.6.8p12-1.diff.gz
  to pool/main/s/sudo/sudo_1.6.8p12-1.diff.gz
sudo_1.6.8p12-1.dsc
  to pool/main/s/sudo/sudo_1.6.8p12-1.dsc
sudo_1.6.8p12-1_i386.deb
  to pool/main/s/sudo/sudo_1.6.8p12-1_i386.deb
sudo_1.6.8p12.orig.tar.gz
  to pool/main/s/sudo/sudo_1.6.8p12.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 342948@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 28 Dec 2005 13:49:10 -0700
Source: sudo
Binary: sudo-ldap sudo
Architecture: source i386
Version: 1.6.8p12-1
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description: 
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 342948 344034
Changes: 
 sudo (1.6.8p12-1) unstable; urgency=low
 .
   * new upstream version, closes: #342948 (CVE-2005-4158)
   * add env_reset to the sudoers file we create if none already exists,
     as a further precaution in response to discussion about CVS-2005-4158
   * split ldap support into a new sudo-ldap package.  I was trying to avoid
     doing this, but the impact of going from 4 to 17 linked shlibs on the
     autobuilder chroots is sufficient motivation for me.
     closes: #344034
Files: 
 6a1f51b30730dbe9a2402814242c09e8 591 admin optional sudo_1.6.8p12-1.dsc
 b29893c06192df6230dd5f340f3badf5 585643 admin optional sudo_1.6.8p12.orig.tar.gz
 8df19a66299fd77fa2ec43e6d0802382 28480 admin optional sudo_1.6.8p12-1.diff.gz
 9b80d0af75066921391efd713375e73b 159792 admin optional sudo_1.6.8p12-1_i386.deb
 ed31f882ebec71b2d16095b8476232a3 172136 admin optional sudo-ldap_1.6.8p12-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDszb8ZKfAp/LPAagRAr9UAJ46qBSLpLcMlu7BI2JEj3pKqzNfjACffnZQ
SReCd9WCcWRc7uAHsYK4zEo=
=SzYb
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#342948; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #55 received at 342948@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: 342948@bugs.debian.org, Martin Schulze <joey@infodrom.org>
Cc: mdz@debian.org, cjwatson@debian.org, scott@netsplit.com
Subject: Re: CVE-2005-4158: Insecure handling of PERLLIB PERL5LIB PERL5OPT environment vars
Date: Thu, 5 Jan 2006 17:36:51 +0100
[Message part 1 (text/plain, inline)]
Hi Bdale, hi Joey!

I still think that the current sid version is broken: it does nothing
to fix this vulnerability for similar cases (JAVA_TOOL_OPTIONS,
PYTHONHOME, RUBYLIB, etc. pp) in existing installations and upgrades
from stable, and for new installations it disables environment passing
completely, which breaks lots of scripts and users which/who do
'VAR=value sudo foo'.

I discussed this a bit with Matt Zimmerman, Scott Remnant, and Colin
Watson, and our current agreement is as follows: 

 * We use Joey's whitelist approach if the user has limited sudo
   access, since it's the only sane long term solution and fixes the
   issue not only for brand new installations.

 * If the user has unlimited access anyway (i. e. "ALL" commands),
   then we do not filter out environment variables. The user can shoot
   himself in the foot much easier. And e. g. for developers it does
   indeed make sense to set a library path to a development version in
   his HOME temporarily for testing something.

I would appreciate if Debian and Ubuntu would find a common solution.
What do you think about this approach?

Thanks,

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#342948; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Andres Salomon <dilinger@debian.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #60 received at 342948@bugs.debian.org (full text, mbox):

From: Andres Salomon <dilinger@debian.org>
To: 342948@bugs.debian.org
Subject: Re: CVE-2005-4158: Insecure handling of PERLLIB PERL5LIB PERL5OPT environment vars
Date: Thu, 05 Jan 2006 12:39:08 -0500
I find myself agreeing with Martin here; this isn't really optimal for
sid, as it doesn't take into account existing installations and
upgrades.  Even at the risk of changing behavior, I think this is an
important enough fix to warrant making env_reset the default behavior.

Differentiating between ALL and limited sudo access seems like
unnecessary logic, and is sure to confuse people (the sudoers manpage is
already quite long, more than 1000 lines; finding a brief mention of
differing behavior wrt environment variables and sudo access will
probably be missed).  I would prefer a simpler solution; simply remove
all unknown env variables in all cases.  If users are running sid, they
should be able to deal with this sort of behavioral change, and it
should be documented in NEWS.Debian.




Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#342948; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #65 received at 342948@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Martin Pitt <mpitt@debian.org>
Cc: 342948@bugs.debian.org, dspmdz@debian.org, cjwatson@debian.org, scott@netsplit.com
Subject: Re: CVE-2005-4158: Insecure handling of PERLLIB PERL5LIB PERL5OPT environment vars
Date: Wed, 11 Jan 2006 16:38:16 +0100
Martin Pitt wrote:
> I still think that the current sid version is broken: it does nothing
> to fix this vulnerability for similar cases (JAVA_TOOL_OPTIONS,
> PYTHONHOME, RUBYLIB, etc. pp) in existing installations and upgrades
> from stable, and for new installations it disables environment passing
> completely, which breaks lots of scripts and users which/who do
> 'VAR=value sudo foo'.
> 
> I discussed this a bit with Matt Zimmerman, Scott Remnant, and Colin
> Watson, and our current agreement is as follows: 
> 
>  * We use Joey's whitelist approach if the user has limited sudo
>    access, since it's the only sane long term solution and fixes the
>    issue not only for brand new installations.
> 
>  * If the user has unlimited access anyway (i. e. "ALL" commands),
>    then we do not filter out environment variables. The user can shoot
>    himself in the foot much easier. And e. g. for developers it does
>    indeed make sense to set a library path to a development version in
>    his HOME temporarily for testing something.
> 
> I would appreciate if Debian and Ubuntu would find a common solution.
> What do you think about this approach?

I believe this is a sane approach.

Bdale, what do you think?

What's the current implementation in version 1.6.8p12-1 anyway1?

Regards,

	Joey

-- 
Never trust an operating system you don't have source for!

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#342948; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Bdale Garbee <bdale@gag.com>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #70 received at 342948@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: Martin Schulze <joey@infodrom.org>, 342948@bugs.debian.org
Cc: Martin Pitt <mpitt@debian.org>, dspmdz@debian.org, cjwatson@debian.org, scott@netsplit.com
Subject: Re: Bug#342948: CVE-2005-4158: Insecure handling of PERLLIB PERL5LIB PERL5OPT environment vars
Date: Wed, 11 Jan 2006 22:04:18 -0700
On Wed, 2006-01-11 at 16:38 +0100, Martin Schulze wrote:

> Bdale, what do you think?

I'm ok with it.  Does someone have a patch representing this behavior?

> What's the current implementation in version 1.6.8p12-1 anyway1?

What upstream shipped for p12, plus env_reset added to sudoers when
nothing already exists and we're creating one from scratch.

Bdale




Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#342948; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #75 received at 342948@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: Bdale Garbee <bdale@gag.com>
Cc: Martin Schulze <joey@infodrom.org>, 342948@bugs.debian.org, Martin Pitt <mpitt@debian.org>, mdz@debian.org, cjwatson@debian.org, scott@netsplit.com
Subject: Re: Bug#342948: CVE-2005-4158: Insecure handling of PERLLIB PERL5LIB PERL5OPT environment vars
Date: Thu, 12 Jan 2006 21:43:55 +0100
[Message part 1 (text/plain, inline)]
Hi!

Bdale Garbee [2006-01-11 22:04 -0700]:
> On Wed, 2006-01-11 at 16:38 +0100, Martin Schulze wrote:
> 
> > Bdale, what do you think?
> 
> I'm ok with it.  Does someone have a patch representing this behavior?

No, but if we all agree, I'll cook one. I'll report back.

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#342948; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #80 received at 342948@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: Bdale Garbee <bdale@gag.com>
Cc: Martin Schulze <joey@infodrom.org>, 342948@bugs.debian.org, Martin Pitt <mpitt@debian.org>, mdz@debian.org, cjwatson@debian.org, scott@netsplit.com
Subject: Patch [was: Re: Bug#342948: CVE-2005-4158: Insecure handling of PERLLIB PERL5LIB PERL5OPT environment vars]
Date: Fri, 13 Jan 2006 12:32:48 +0100
[Message part 1 (text/plain, inline)]
Hi again!

Bdale Garbee [2006-01-11 22:04 -0700]:
> On Wed, 2006-01-11 at 16:38 +0100, Martin Schulze wrote:
> 
> > Bdale, what do you think?
> 
> I'm ok with it.  Does someone have a patch representing this behavior?

I now finished the first version of the patch [1]. Please note that I
tried to keep the patch small; if this should be accepted upstream,
then env.c should be cleaned up severely.

I did the same changes to the LDAP backend; the change is fairly
straightforward, but I did not test it. I programmed it defensively,
so the worst that can happen is that your environment is slaughtered
even if you can execute "ALL" commands. Does someone of you happen to
use sudo with LDAP?

I would highly appreciate some more pairs of eyes on the patch,
though.

> What upstream shipped for p12, plus env_reset added to sudoers when
> nothing already exists and we're creating one from scratch.

I disabled the addition of env_reset in Ubuntu, since it doesn't help
for upgrades and would annoy real admins (with no command restriction)
too much, BTW.

Thanks for considering,

Martin

[1] http://patches.ubuntu.com/patches/sudo.envhandling.patch

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#342948; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Peter Mottram <peter@sysnix.com>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #85 received at 342948@bugs.debian.org (full text, mbox):

From: Peter Mottram <peter@sysnix.com>
To: 342948@bugs.debian.org
Subject: 1.6.8p7-1.3 clobbers t*csh shell variables :-(
Date: Fri, 20 Jan 2006 18:12:49 +0100 (CET)
Now I can easily add environment variables back in using env_check but I 
see no way of pulling in csh shell variables. :-(

Is this the 'fix' that finally forces me to switch from tcsh to some other 
shell after 15 years?

btw: nice fix - the best solution IMHO.

R.
PeteM



Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#342948; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Nicholas Lee <nic@plumtree.co.nz>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #90 received at 342948@bugs.debian.org (full text, mbox):

From: Nicholas Lee <nic@plumtree.co.nz>
To: 342948@bugs.debian.org
Subject: Every so often a debconf message would be good
Date: Mon, 23 Jan 2006 14:21:28 +0000
http://stateless.geek.nz/2006/01/24/sudo-upgrade-from-debian-security-changes-env-handling/

When semantics changes its important for a core tool like sudo to tell
people. Arbitrarily dumping the environment is likely to break some cron
scripts silently. A message using debconf would probably save a lot of
hassle.




Nicholas



Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#342948; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Andrew Pimlott <andrew@pimlott.net>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #95 received at 342948@bugs.debian.org (full text, mbox):

From: Andrew Pimlott <andrew@pimlott.net>
To: 342948@bugs.debian.org
Subject: patch for stable includes no documentation
Date: Wed, 25 Jan 2006 10:42:07 -0800
I want to amplify the comment of Nicholas Lee <nic@plumtree.co.nz>.
This patch did not include an update to the manual, only a terse mention
in the changelog.Debian.  Even reading the bug log, I cannot tell what
behaviour is implemented for stable.  This leaves the hapless
administrator to use guesswork to repair the damage, a precarious
situation for a security-critical function.  Further, there appears to
be no way to get the old behavior back in situations where that is safe.

I would suggest documenting the applied patch in the man page and
README.Debian.

Andrew



Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#342948; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Anton Ivanov <arivanov@sigsegv.cx>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #100 received at 342948@bugs.debian.org (full text, mbox):

From: Anton Ivanov <arivanov@sigsegv.cx>
To: 342948@bugs.debian.org
Subject: Apologies for reopening but you broke env_keep
Date: Thu, 16 Feb 2006 13:51:52 +0000
Defaults: env_keep no longer works at least for me.

Now only env_check allows passing variables which unless I am mistaken
means that they undergo mandatory sanitization.

Brgds,

-- 

A. R. Ivanov
E-mail:  aivanov@sigsegv.cx
WWW:     http://www.sigsegv.cx/
pub 1024D/DDE5E715 2002-03-03 Anton R. Ivanov <ai1-n@sigsegv.cx>
    Fingerprint: C824 CBD7 EE4B D7F8 5331  89D5 FCDA 572E DDE5 E715

		




Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#342948; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Pat Suwalski <pat@suwalski.net>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #105 received at 342948@bugs.debian.org (full text, mbox):

From: Pat Suwalski <pat@suwalski.net>
To: 342948@bugs.debian.org
Subject: This Breaks Things Badly.
Date: Fri, 24 Feb 2006 18:06:16 -0500
This security update really breaks the behaviour of sudo, especially
with regard to the DISPLAY variable used in a lot of projects.

Things like:

	> sudo xeyes

no longer work.

We have to tell our users to add:

	Default: env_reset, env_keep="DISPLAY"

to get their functionality back. This is WRONG.

--Pat



Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#342948; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Anton Ivanov <arivanov@sigsegv.cx>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>.

Your message did not contain a Subject field. They are recommended and useful because the title of a Bug is determined using this field. Please remember to include a Subject field in your messages in future.

Full text and rfc822 format available.


Message #110 received at 342948@bugs.debian.org (full text, mbox):

From: Anton Ivanov <arivanov@sigsegv.cx>
To: 342948@bugs.debian.org
Date: Fri, 24 Mar 2006 22:13:19 +0000
Forgot to add:

While env_keep/env_check is b0rken with current sarge sudo it works OK
as per documentation with the more recent version from testing.

This is essentially the same bug as in:

#349196: sudo: DSA-946-1 broke joe horribly
#349549: XAUTHORITY broken
#349587: sudo -s does not preserve $HOME environment variable
#349729: sudo: Removes all user environment variables except TERM, LANG
and LANGUAGE

All of these can be resolved by upgrading to testing and setting the
relevant variables as env_keep or env_check, I have found no way of
getting these to work with current sudo from updates and had to upgrade
sudo on all systems I manage.

-- 

A. R. Ivanov
E-mail:  aivanov@sigsegv.cx
WWW:     http://www.sigsegv.cx/
pub 1024D/DDE5E715 2002-03-03 Anton R. Ivanov <ai1-n@sigsegv.cx>
    Fingerprint: C824 CBD7 EE4B D7F8 5331  89D5 FCDA 572E DDE5 E715

		




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 12:41:13 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 21:21:45 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.