Debian Bug report logs - #349196
sudo: DSA-946-1 broke joe horribly

version graph

Package: sudo; Maintainer for sudo is Bdale Garbee <bdale@gag.com>; Source for sudo is src:sudo.

Reported by: Josip Rodin <joy@debbugs.entuzijast.net>

Date: Sat, 21 Jan 2006 14:03:05 UTC

Severity: critical

Tags: patch

Merged with 349549, 349587, 349729

Found in version sudo/1.6.8p7-1.3

Fixed in version sudo/1.6.8p12-2

Done: Steve Langasek <vorlon@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, security@debian.org, Bdale Garbee <bdale@gag.com>:
Bug#349196; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Josip Rodin <joy@srce.hr>:
New Bug report received and forwarded. Copy sent to security@debian.org, Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Josip Rodin <joy@srce.hr>
To: submit@bugs.debian.org
Subject: sudo: DSA-946-1 broke joe horribly
Date: Sat, 21 Jan 2006 14:54:18 +0100
Package: sudo
Version: 1.6.8p7-1.3
Severity: grave

Hi,

Since upgrading to this version from security.d.o, I can no longer run
sudo joe, it gives an instant segmentation fault and dumps core.
(gdb says the problem is in a fgets() and a series of ustat()s.)

Furthermore, visudo now ignores $EDITOR and seems to run the editor
alternative. You can imagine my utter horror when seeing the sudoers file
in the mc editor (which happens to register itself with a high schore in
the alternative).

You're not supposed to break shit in stable like this. That's what stable is
for - for new functionality to be avoided because it's potentially buggy.
I don't care if the underlying editor is actually broken or anything like
- if so, that is something that can be fixed in the next release and
documented in the Release Notes. Breaking it just because you decided that
this will fix some unrelated Python or Ruby issues is simply not the way.

Please unbreak my editor ASAP. TIA.

-- 
     2. That which causes joy or happiness.



Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#349196; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Max Bowsher <maxb1@ukf.net>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #10 received at 349196@bugs.debian.org (full text, mbox):

From: Max Bowsher <maxb1@ukf.net>
To: 349196@bugs.debian.org
Subject: sudo 1.6.8p7-1.3 significantly changes package behaviour (IN STABLE!) without any configurability to the old behaviour and without documentation
Date: Sat, 21 Jan 2006 23:13:30 +0000
[Message part 1 (text/plain, inline)]
I too would like to register a complaint about broken working methods
with sudo 1.6.8p7-1.3.

The preservation of all environment variables is not necessarily a
security flaw when done by a user with ALL commands sudoers rights. When
such a user is using 'sudo -s', it can be highly desirable not purge any
environment variables, so that a suitably authorized user can gain root
whilst carrying with them their preferred shell environment, including
any temporary settings they may have made in the current session.

The sudo 1.6.8p7-1.3 package totally removes this facility. There is no
provision made for accessing the old behaviour through configuration,
and there is no documentation of this major change in package behaviour.
Doing this in 'stable' rather mocks the name of the distribution.

Please restore this lost functionality. In the mean time, I have rolled
back to 1.6.8p7-1.2.

Max.

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#349196; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Paul Telford <pxt@debian.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #15 received at 349196@bugs.debian.org (full text, mbox):

From: Paul Telford <pxt@debian.org>
To: 349196@bugs.debian.org
Subject: Re: sudo: DSA-946-1 broke joe horribly
Date: Mon, 23 Jan 2006 08:32:43 -0800
On a related note, 'sudo vi <anyfile>' now complains about not being
able to open $HOME/.viminfo when I exit vi and requires a carriage
return to acknowledge.  I had to go out and research that I need to
add "Defaults env_reset" to my sudoers file -- this seems like
breakage for a stable release.


Thanks,



 Paul.



Merged 349196 349587. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Merged 349196 349549 349587. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#349196; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Freek Dijkstra <public@macfreek.nl>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #24 received at 349196@bugs.debian.org (full text, mbox):

From: Freek Dijkstra <public@macfreek.nl>
To: 349196@bugs.debian.org
Subject: Intended behaviour
Date: Sat, 28 Jan 2006 20:09:12 +0100
Apparently, this is intended behaviour:

http://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00019.html

I applaud the security team for reacting so prompt, thought I think it 
this particular bug fix is an excellent example how NOT do to it. You're 
definitely not the only one who are affected (everyone using sudo is 
affected). In this case, the user should have presented a big warning 
during the apt-get upgrade, telling he/she should alter /etc/sudoers.

I hope that either the maintainer of sudo or the security team can 
create a new patch to give such a warning to whoever is upgrading.

FYI: I first considered downgrading, since I rather have a working sudo, 
security fix or not. I'm afraid, I can only regard this as very bad 
publicity for the security team.

Regards,
Freek



Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#349196; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Pirate <pirate@trendal.hu>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #29 received at 349196@bugs.debian.org (full text, mbox):

From: Pirate <pirate@trendal.hu>
To: Debian Bug Tracking System <349196@bugs.debian.org>
Subject: after sudo upgrade, the "sudo joe filename" command yields a segfault
Date: Sun, 29 Jan 2006 23:40:53 +0100
Package: sudo
Version: 1.6.8p7-1.3
Followup-For: Bug #349196


After sudo (security) upgrade, the "sudo joe filename" command just segfaults.
This command worked fine before.

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.12.3-scorpion
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages sudo depends on:
ii  libc6                       2.3.2.ds1-22 GNU C Library: Shared libraries an
ii  libpam-modules              0.76-22      Pluggable Authentication Modules f
ii  libpam0g                    0.76-22      Pluggable Authentication Modules l

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#349196; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Mikko Rapeli <mikko.rapeli@vtt.fi>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #34 received at 349196@bugs.debian.org (full text, mbox):

From: Mikko Rapeli <mikko.rapeli@vtt.fi>
To: 349196@bugs.debian.org
Cc: team@security.debian.org
Subject: a fix for sudo in sarge
Date: Thu, 9 Feb 2006 17:28:30 +0200
[Message part 1 (text/plain, inline)]
This seems to work and allows me to use ethereal remotely through ssh again.

The for loop was just copied from above and keepit changed to okvar, so this is
pretty simple. We did go through all the bits and if clauses and tested the
result manually. The manual page changes are pretty obvious too.

I did not go through the list of environment variables mentioned on 
manual pages and 'sudo -V' when run as root, but perhaps the documentation
is enough as this is only first aid for sarge.

-Mikko
[sudo_env_fix_01.patch (text/plain, attachment)]
[sudo_env_fix_documentation_01.patch (text/plain, attachment)]
[sudo_env_fix_cl_01.patch (text/plain, attachment)]

Severity set to `critical'. Request was from Jeroen van Wolffelaar <jeroen@wolffelaar.nl> to control@bugs.debian.org. Full text and rfc822 format available.

Merged 349196 349549 349587 349729. Request was from Jeroen van Wolffelaar <jeroen@wolffelaar.nl> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#349196; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #43 received at 349196@bugs.debian.org (full text, mbox):

From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
To: Mikko Rapeli <mikko.rapeli@vtt.fi>, 349196@bugs.debian.org, Debian Bugs Control Bot <control@bugs.debian.org>
Cc: team@security.debian.org
Subject: Re: a fix for sudo in sarge
Date: Fri, 3 Mar 2006 12:18:09 +0100
tags 349196 + patch
thanks

On Thu, Feb 09, 2006 at 05:28:30PM +0200, Mikko Rapeli wrote:
> This seems to work and allows me to use ethereal remotely through ssh again.
> 
> The for loop was just copied from above and keepit changed to okvar, so this is
> pretty simple. We did go through all the bits and if clauses and tested the
> result manually. The manual page changes are pretty obvious too.
> 
> I did not go through the list of environment variables mentioned on 
> manual pages and 'sudo -V' when run as root, but perhaps the documentation
> is enough as this is only first aid for sarge.

Thank you for preparing a patch.

Bdale, Security team, what do you think about it?

--Jeroen

-- 
Jeroen van Wolffelaar
jeroen@wolffelaar.nl
http://jeroen.A-Eskwadraat.nl



Tags added: patch Request was from Jeroen van Wolffelaar <jeroen@wolffelaar.nl> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#349196; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #50 received at 349196@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Mikko Rapeli <mikko.rapeli@vtt.fi>
Cc: 349196@bugs.debian.org, team@security.debian.org
Subject: Re: a fix for sudo in sarge
Date: Mon, 20 Mar 2006 11:20:57 +0100
Proposed updates for woody and sarge are here:
http://klecker.debian.org/~joey/security/sudo/
I'd be glad if you could test them.

Regards,

	Joey

-- 
Linux - the choice of a GNU generation.

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#349196; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Ewen McNeill <ewen@naos.co.nz>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #55 received at 349196@bugs.debian.org (full text, mbox):

From: Ewen McNeill <ewen@naos.co.nz>
To: 349587@bugs.debian.org
Cc: 349196@bugs.debian.org, Martin Schulze <joey@infodrom.org>
Subject: sudo: proposed fix seems okay (was Re: sudo: DSA946: omitting $HOME)
Date: Tue, 21 Mar 2006 15:53:45 +1200
Ewen McNeill writes:
>In reply to bug 349729 Martin Schulze <joey@infodrom.org> wrote:
>>http://www.debian.org/security/2006/dsa-946     [...]
>>[the advisory indicates only LC_*, LANG, LANGUAGE and TERM are passed through]
>[ The discussion is now merged into:
>  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=349587   
>]
>
>Out of interest what was the rationale for omitting $HOME from this list?

I see that the proposed update noted in bug 349196 (which unfortunately
I missed before sending in my earlier comment) restores $HOME to the list
of environment variables allowed by default.  The Sarge package at:

http://klecker.debian.org/~joey/security/sudo/

(referenced from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=349196)

seems to work for me, at least to resolve the issue I was having with
vim and $HOME/.viminfo.

Although curiously the extra variables allowed (HOME, LOGNAME, PATH,
SHELL, TERM, DISPLAY, XAUTHORITY, XAUTHORIZATION, LANG, LANGUAGE, LC_*, 
and USER), don't appear in the "sudo -V" list of variables to check;
only the original list of variables (in -1.3) appears there.  Presumably
this means they're being retained unconditionally which may or may not
be desirable.

Ewen



Reply sent to Bdale Garbee <bdale@gag.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Josip Rodin <joy@srce.hr>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #60 received at 349196-close@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: 349196-close@bugs.debian.org
Subject: Bug#349196: fixed in sudo 1.6.8p12-2
Date: Sun, 02 Apr 2006 15:02:19 -0700
Source: sudo
Source-Version: 1.6.8p12-2

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:

sudo-ldap_1.6.8p12-2_i386.deb
  to pool/main/s/sudo/sudo-ldap_1.6.8p12-2_i386.deb
sudo_1.6.8p12-2.diff.gz
  to pool/main/s/sudo/sudo_1.6.8p12-2.diff.gz
sudo_1.6.8p12-2.dsc
  to pool/main/s/sudo/sudo_1.6.8p12-2.dsc
sudo_1.6.8p12-2_i386.deb
  to pool/main/s/sudo/sudo_1.6.8p12-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 349196@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun,  2 Apr 2006 14:26:20 -0700
Source: sudo
Binary: sudo-ldap sudo
Architecture: source i386
Version: 1.6.8p12-2
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description: 
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 161012 203874 220808 228551 292833 314949 315115 315718 346325 349085 349129 349196 349549 349587 349729 350776 354431
Changes: 
 sudo (1.6.8p12-2) unstable; urgency=low
 .
   * fix typos in init scripts, closes: #346325
   * update to debhelper compat level 5
   * build depend on autotools-dev to ensure config.sub/guess are fresh
   * accept patch from Martin Schulze developed for 1.6.8p7-1.4 in stable, and
     use it here as well.  Thanks to Martin and the debian-security team.
     closes: #349196, #349549, #349587, #349729, #349129, #350776, #349085
     closes: #315115, #315718, #203874
     * Non-maintainer upload by the Security Team
     * Reworked the former patch to limit environment variables from being
       passed through, set env_reset as default instead [sudo.c, env.c,
       sudoers.pod, Bug#342948, CVE-2005-4158]
     * env_reset is now set by default
     * env_reset will preserve only HOME, LOGNAME, PATH, SHELL, TERM,
       DISPLAY, XAUTHORITY, XAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER
       (in addition to the SUDO_* variables)
     * Rebuild sudoers.man.in from the POD file
     * Added README.Debian
   * patch from Alexander Zangerl to fix duplicated PATH issue, closes: #354431
   * simplify rules file by using more of Makefile, despite having to override
     default directories with more arguments to configure, closes: #292833
   * update sudo man page to reflect use of SECURE_PATH, closes: #228551
   * inconsistencies in sudoers man page resolved, closes: #220808, #161012
   * patch from Jeroen van Wolffelaar to improve behavior when FQDNs are
     unresolveable (requires adding bison as build dep), closes: #314949
Files: 
 73d77951ae86e88e906d28d0f94abb33 615 admin optional sudo_1.6.8p12-2.dsc
 b3205e53c871e64824c6b338c9fa8a35 33108 admin optional sudo_1.6.8p12-2.diff.gz
 22698e7f33a3f7179ec3ab59d24e4fec 161506 admin optional sudo_1.6.8p12-2_i386.deb
 d2418ccc65a98154b15c7b3c1342462b 173910 admin optional sudo-ldap_1.6.8p12-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEMEhZZKfAp/LPAagRAkw0AJwJq5L7amKiN48J0ldHRH3Sv29yFACbBi1b
LP3jMinYQ8qNMfE81BL1G9U=
=NSf8
-----END PGP SIGNATURE-----




Reply sent to Bdale Garbee <bdale@gag.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Josip Rodin <joy@srce.hr>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #65 received at 349549-close@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: 349549-close@bugs.debian.org
Subject: Bug#349549: fixed in sudo 1.6.8p12-2
Date: Sun, 02 Apr 2006 15:02:19 -0700
Source: sudo
Source-Version: 1.6.8p12-2

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:

sudo-ldap_1.6.8p12-2_i386.deb
  to pool/main/s/sudo/sudo-ldap_1.6.8p12-2_i386.deb
sudo_1.6.8p12-2.diff.gz
  to pool/main/s/sudo/sudo_1.6.8p12-2.diff.gz
sudo_1.6.8p12-2.dsc
  to pool/main/s/sudo/sudo_1.6.8p12-2.dsc
sudo_1.6.8p12-2_i386.deb
  to pool/main/s/sudo/sudo_1.6.8p12-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 349549@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun,  2 Apr 2006 14:26:20 -0700
Source: sudo
Binary: sudo-ldap sudo
Architecture: source i386
Version: 1.6.8p12-2
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description: 
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 161012 203874 220808 228551 292833 314949 315115 315718 346325 349085 349129 349196 349549 349587 349729 350776 354431
Changes: 
 sudo (1.6.8p12-2) unstable; urgency=low
 .
   * fix typos in init scripts, closes: #346325
   * update to debhelper compat level 5
   * build depend on autotools-dev to ensure config.sub/guess are fresh
   * accept patch from Martin Schulze developed for 1.6.8p7-1.4 in stable, and
     use it here as well.  Thanks to Martin and the debian-security team.
     closes: #349196, #349549, #349587, #349729, #349129, #350776, #349085
     closes: #315115, #315718, #203874
     * Non-maintainer upload by the Security Team
     * Reworked the former patch to limit environment variables from being
       passed through, set env_reset as default instead [sudo.c, env.c,
       sudoers.pod, Bug#342948, CVE-2005-4158]
     * env_reset is now set by default
     * env_reset will preserve only HOME, LOGNAME, PATH, SHELL, TERM,
       DISPLAY, XAUTHORITY, XAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER
       (in addition to the SUDO_* variables)
     * Rebuild sudoers.man.in from the POD file
     * Added README.Debian
   * patch from Alexander Zangerl to fix duplicated PATH issue, closes: #354431
   * simplify rules file by using more of Makefile, despite having to override
     default directories with more arguments to configure, closes: #292833
   * update sudo man page to reflect use of SECURE_PATH, closes: #228551
   * inconsistencies in sudoers man page resolved, closes: #220808, #161012
   * patch from Jeroen van Wolffelaar to improve behavior when FQDNs are
     unresolveable (requires adding bison as build dep), closes: #314949
Files: 
 73d77951ae86e88e906d28d0f94abb33 615 admin optional sudo_1.6.8p12-2.dsc
 b3205e53c871e64824c6b338c9fa8a35 33108 admin optional sudo_1.6.8p12-2.diff.gz
 22698e7f33a3f7179ec3ab59d24e4fec 161506 admin optional sudo_1.6.8p12-2_i386.deb
 d2418ccc65a98154b15c7b3c1342462b 173910 admin optional sudo-ldap_1.6.8p12-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEMEhZZKfAp/LPAagRAkw0AJwJq5L7amKiN48J0ldHRH3Sv29yFACbBi1b
LP3jMinYQ8qNMfE81BL1G9U=
=NSf8
-----END PGP SIGNATURE-----




Reply sent to Bdale Garbee <bdale@gag.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Josip Rodin <joy@srce.hr>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #70 received at 349587-close@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: 349587-close@bugs.debian.org
Subject: Bug#349587: fixed in sudo 1.6.8p12-2
Date: Sun, 02 Apr 2006 15:02:19 -0700
Source: sudo
Source-Version: 1.6.8p12-2

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:

sudo-ldap_1.6.8p12-2_i386.deb
  to pool/main/s/sudo/sudo-ldap_1.6.8p12-2_i386.deb
sudo_1.6.8p12-2.diff.gz
  to pool/main/s/sudo/sudo_1.6.8p12-2.diff.gz
sudo_1.6.8p12-2.dsc
  to pool/main/s/sudo/sudo_1.6.8p12-2.dsc
sudo_1.6.8p12-2_i386.deb
  to pool/main/s/sudo/sudo_1.6.8p12-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 349587@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun,  2 Apr 2006 14:26:20 -0700
Source: sudo
Binary: sudo-ldap sudo
Architecture: source i386
Version: 1.6.8p12-2
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description: 
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 161012 203874 220808 228551 292833 314949 315115 315718 346325 349085 349129 349196 349549 349587 349729 350776 354431
Changes: 
 sudo (1.6.8p12-2) unstable; urgency=low
 .
   * fix typos in init scripts, closes: #346325
   * update to debhelper compat level 5
   * build depend on autotools-dev to ensure config.sub/guess are fresh
   * accept patch from Martin Schulze developed for 1.6.8p7-1.4 in stable, and
     use it here as well.  Thanks to Martin and the debian-security team.
     closes: #349196, #349549, #349587, #349729, #349129, #350776, #349085
     closes: #315115, #315718, #203874
     * Non-maintainer upload by the Security Team
     * Reworked the former patch to limit environment variables from being
       passed through, set env_reset as default instead [sudo.c, env.c,
       sudoers.pod, Bug#342948, CVE-2005-4158]
     * env_reset is now set by default
     * env_reset will preserve only HOME, LOGNAME, PATH, SHELL, TERM,
       DISPLAY, XAUTHORITY, XAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER
       (in addition to the SUDO_* variables)
     * Rebuild sudoers.man.in from the POD file
     * Added README.Debian
   * patch from Alexander Zangerl to fix duplicated PATH issue, closes: #354431
   * simplify rules file by using more of Makefile, despite having to override
     default directories with more arguments to configure, closes: #292833
   * update sudo man page to reflect use of SECURE_PATH, closes: #228551
   * inconsistencies in sudoers man page resolved, closes: #220808, #161012
   * patch from Jeroen van Wolffelaar to improve behavior when FQDNs are
     unresolveable (requires adding bison as build dep), closes: #314949
Files: 
 73d77951ae86e88e906d28d0f94abb33 615 admin optional sudo_1.6.8p12-2.dsc
 b3205e53c871e64824c6b338c9fa8a35 33108 admin optional sudo_1.6.8p12-2.diff.gz
 22698e7f33a3f7179ec3ab59d24e4fec 161506 admin optional sudo_1.6.8p12-2_i386.deb
 d2418ccc65a98154b15c7b3c1342462b 173910 admin optional sudo-ldap_1.6.8p12-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEMEhZZKfAp/LPAagRAkw0AJwJq5L7amKiN48J0ldHRH3Sv29yFACbBi1b
LP3jMinYQ8qNMfE81BL1G9U=
=NSf8
-----END PGP SIGNATURE-----




Reply sent to Bdale Garbee <bdale@gag.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Josip Rodin <joy@srce.hr>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #75 received at 349729-close@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: 349729-close@bugs.debian.org
Subject: Bug#349729: fixed in sudo 1.6.8p12-2
Date: Sun, 02 Apr 2006 15:02:19 -0700
Source: sudo
Source-Version: 1.6.8p12-2

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:

sudo-ldap_1.6.8p12-2_i386.deb
  to pool/main/s/sudo/sudo-ldap_1.6.8p12-2_i386.deb
sudo_1.6.8p12-2.diff.gz
  to pool/main/s/sudo/sudo_1.6.8p12-2.diff.gz
sudo_1.6.8p12-2.dsc
  to pool/main/s/sudo/sudo_1.6.8p12-2.dsc
sudo_1.6.8p12-2_i386.deb
  to pool/main/s/sudo/sudo_1.6.8p12-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 349729@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun,  2 Apr 2006 14:26:20 -0700
Source: sudo
Binary: sudo-ldap sudo
Architecture: source i386
Version: 1.6.8p12-2
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description: 
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 161012 203874 220808 228551 292833 314949 315115 315718 346325 349085 349129 349196 349549 349587 349729 350776 354431
Changes: 
 sudo (1.6.8p12-2) unstable; urgency=low
 .
   * fix typos in init scripts, closes: #346325
   * update to debhelper compat level 5
   * build depend on autotools-dev to ensure config.sub/guess are fresh
   * accept patch from Martin Schulze developed for 1.6.8p7-1.4 in stable, and
     use it here as well.  Thanks to Martin and the debian-security team.
     closes: #349196, #349549, #349587, #349729, #349129, #350776, #349085
     closes: #315115, #315718, #203874
     * Non-maintainer upload by the Security Team
     * Reworked the former patch to limit environment variables from being
       passed through, set env_reset as default instead [sudo.c, env.c,
       sudoers.pod, Bug#342948, CVE-2005-4158]
     * env_reset is now set by default
     * env_reset will preserve only HOME, LOGNAME, PATH, SHELL, TERM,
       DISPLAY, XAUTHORITY, XAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER
       (in addition to the SUDO_* variables)
     * Rebuild sudoers.man.in from the POD file
     * Added README.Debian
   * patch from Alexander Zangerl to fix duplicated PATH issue, closes: #354431
   * simplify rules file by using more of Makefile, despite having to override
     default directories with more arguments to configure, closes: #292833
   * update sudo man page to reflect use of SECURE_PATH, closes: #228551
   * inconsistencies in sudoers man page resolved, closes: #220808, #161012
   * patch from Jeroen van Wolffelaar to improve behavior when FQDNs are
     unresolveable (requires adding bison as build dep), closes: #314949
Files: 
 73d77951ae86e88e906d28d0f94abb33 615 admin optional sudo_1.6.8p12-2.dsc
 b3205e53c871e64824c6b338c9fa8a35 33108 admin optional sudo_1.6.8p12-2.diff.gz
 22698e7f33a3f7179ec3ab59d24e4fec 161506 admin optional sudo_1.6.8p12-2_i386.deb
 d2418ccc65a98154b15c7b3c1342462b 173910 admin optional sudo-ldap_1.6.8p12-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEMEhZZKfAp/LPAagRAkw0AJwJq5L7amKiN48J0ldHRH3Sv29yFACbBi1b
LP3jMinYQ8qNMfE81BL1G9U=
=NSf8
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#349196; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Mikko Rapeli <mikko.rapeli@vtt.fi>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #80 received at 349196@bugs.debian.org (full text, mbox):

From: Mikko Rapeli <mikko.rapeli@vtt.fi>
To: Martin Schulze <joey@infodrom.org>
Cc: 349196@bugs.debian.org, team@security.debian.org
Subject: Re: a fix for sudo in sarge
Date: Tue, 4 Apr 2006 12:34:45 +0300
On Mon, Mar 20, 2006 at 11:20:57AM +0100, Martin Schulze wrote:
> Proposed updates for woody and sarge are here:
> http://klecker.debian.org/~joey/security/sudo/
> I'd be glad if you could test them.

The patch from 1.6.8p7-1.3 to 1.6.8p7-1.4 is logical
and works well in my use cases. Thanks.

-Mikko



Bug reopened, originator not changed. Request was from Cyril Bouthors <cyb@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 1.6.8p12-2, send any further explanations to Berend Reitsma <breitsma@gmail.com> Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information stored:
Bug#349196; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Josip Rodin <joy@srce.hr>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #89 received at 349196-quiet@bugs.debian.org (full text, mbox):

From: Josip Rodin <joy@srce.hr>
To: Steve Langasek <vorlon@debian.org>
Cc: 349196-quiet@bugs.debian.org
Subject: Re: Bug#349196 acknowledged by developer (Re: Bug#349587: $SSH_AGENT_PID is still not available with sudo -s)
Date: Wed, 5 Apr 2006 23:06:24 +0200
On Wed, Apr 05, 2006 at 12:48:08PM -0700, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> #349196: sudo: DSA-946-1 broke joe horribly,
> which was filed against the sudo package.
> 
> It has been marked as closed by one of the developers, namely
> Steve Langasek <vorlon@debian.org>.
> 
> You should be hearing from them with a substantive response shortly,
> in case you haven't already. If not, please contact them directly.

Please be careful when dealing with merged bugs in control messages, because
the result of this action is fairly confusing for the submitter.

-- 
     2. That which causes joy or happiness.



Changed Bug submitter from Josip Rodin <joy@srce.hr> to Josip Rodin <joy@debbugs.entuzijast.net>. Request was from Josip Rodin <joy@debbugs.entuzijast.net> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 01:31:15 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 00:35:29 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.