Debian Bug report logs - #585394
CVE-2010-1646: Sudo's secure path option can be circumvented

version graph

Package: sudo; Maintainer for sudo is Bdale Garbee <bdale@gag.com>; Source for sudo is src:sudo.

Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>

Date: Thu, 10 Jun 2010 09:21:01 UTC

Severity: grave

Tags: security

Fixed in versions sudo/1.7.2p7-1, sudo/1.6.9p17-3

Done: Bdale Garbee <bdale@gag.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#585394; Package sudo. (Thu, 10 Jun 2010 09:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Bdale Garbee <bdale@gag.com>. (Thu, 10 Jun 2010 09:21:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2010-1646: Sudo's secure path option can be circumvented
Date: Thu, 10 Jun 2010 11:18:26 +0200
[Message part 1 (text/plain, inline)]
Package: sudo
Severity: grave
Tags: security
Justification: user security hole

Please see http://www.gratisoft.us/sudo/alerts/secure_path.html

Patch for Lenny is attached, for Squeeze it's likely best to
update to 1.7.2p7.

Cheers,
        Moritz
[CVE-2010-1646.patch (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#585394; Package sudo. (Thu, 10 Jun 2010 21:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bdale Garbee <bdale@gag.com>:
Extra info received and forwarded to list. (Thu, 10 Jun 2010 21:42:03 GMT) Full text and rfc822 format available.

Message #10 received at 585394@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: Moritz Muehlenhoff <muehlenhoff@univention.de>, 585394@bugs.debian.org
Subject: Re: Bug#585394: CVE-2010-1646: Sudo's secure path option can be circumvented
Date: Thu, 10 Jun 2010 15:39:02 -0600
[Message part 1 (text/plain, inline)]
On Thu, 10 Jun 2010 11:18:26 +0200, Moritz Muehlenhoff <muehlenhoff@univention.de> wrote:
> Package: sudo
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Please see http://www.gratisoft.us/sudo/alerts/secure_path.html
> 
> Patch for Lenny is attached, for Squeeze it's likely best to
> update to 1.7.2p7.

Thanks for the forward, working on an update for unstable now.

Bdale
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Bdale Garbee <bdale@gag.com>:
You have taken responsibility. (Thu, 10 Jun 2010 22:48:08 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Thu, 10 Jun 2010 22:48:08 GMT) Full text and rfc822 format available.

Message #15 received at 585394-close@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: 585394-close@bugs.debian.org
Subject: Bug#585394: fixed in sudo 1.7.2p7-1
Date: Thu, 10 Jun 2010 22:47:10 +0000
Source: sudo
Source-Version: 1.7.2p7-1

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:

sudo-ldap_1.7.2p7-1_i386.deb
  to main/s/sudo/sudo-ldap_1.7.2p7-1_i386.deb
sudo_1.7.2p7-1.debian.tar.gz
  to main/s/sudo/sudo_1.7.2p7-1.debian.tar.gz
sudo_1.7.2p7-1.dsc
  to main/s/sudo/sudo_1.7.2p7-1.dsc
sudo_1.7.2p7-1_i386.deb
  to main/s/sudo/sudo_1.7.2p7-1_i386.deb
sudo_1.7.2p7.orig.tar.gz
  to main/s/sudo/sudo_1.7.2p7.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 585394@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 10 Jun 2010 15:42:14 -0600
Source: sudo
Binary: sudo sudo-ldap
Architecture: source i386
Version: 1.7.2p7-1
Distribution: unstable
Urgency: high
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description: 
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 522065 581393 585394
Changes: 
 sudo (1.7.2p7-1) unstable; urgency=high
 .
   * new upstream release with security fix for secure path (CVE-2010-1646),
     closes: #585394
   * move timestamps from /var/run/sudo to /var/lib/sudo, so that the state
     about whether to give the lecture is preserved across reboots even when
     RAMRUN is set, closes: #581393
   * add a note to README.Debian about LDAP needing an entry in
     /etc/nsswitch.conf, closes: #522065
   * add a note to README.Debian about how to turn off lectures if using
     RAMRUN in /etc/default/rcS, closes: #581393
Checksums-Sha1: 
 5cc913fa4a9e01251117187b356fee590836940f 1669 sudo_1.7.2p7-1.dsc
 0504e0d7b1d3c987e48325ec4caa6ebfe5237ff5 772356 sudo_1.7.2p7.orig.tar.gz
 c932fac6cd1d1bf4b07e239b9b2001bf83352433 21411 sudo_1.7.2p7-1.debian.tar.gz
 1c2d8e773d6258456edf1b6de9b4c1e6e6eb0c67 310522 sudo_1.7.2p7-1_i386.deb
 64b555bb670ca0277d8f8b97992614362b94ee30 334782 sudo-ldap_1.7.2p7-1_i386.deb
Checksums-Sha256: 
 fa0468ecc2cb9067f058731103a01d0fc5cfddb82111fc9ea920a27231e6d437 1669 sudo_1.7.2p7-1.dsc
 07a9c83e628a088314523e558236ac3c4cb0d54d7d7093e5b3e4c8101b1a2bea 772356 sudo_1.7.2p7.orig.tar.gz
 2caf90754a55531eddc162981cdfdf9236f9fa1fcdbcff48b293ca0a17fd3f07 21411 sudo_1.7.2p7-1.debian.tar.gz
 c65427cd0a0e7e8d6050887a3ff07c4d6730203c3a0f10fc2869404b0735a335 310522 sudo_1.7.2p7-1_i386.deb
 5a0e796ab7f3250fb7af13fb66ca10d3b38999829440ee859936820d72795709 334782 sudo-ldap_1.7.2p7-1_i386.deb
Files: 
 5e0d1b3f2e43ed356baed1ce63c9dc6b 1669 admin optional sudo_1.7.2p7-1.dsc
 3ac78668427a53e12d7639fdfab2f1af 772356 admin optional sudo_1.7.2p7.orig.tar.gz
 814f901b243758ef5bcea4ebe87ac01f 21411 admin optional sudo_1.7.2p7-1.debian.tar.gz
 3b0747242cf7f719b832d91f3595e5ba 310522 admin optional sudo_1.7.2p7-1_i386.deb
 c829535cfb5984e9060f00f2171ec403 334782 admin optional sudo-ldap_1.7.2p7-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIVAwUBTBFqXDqTYZbAldlBAQoqyBAAiX2Q/mHUwXYPqXbBj7+CuQjLwvK1Qnwy
rK1tQLhGVIBcIfK7dyysZKhxITjbs9ubnbBhjGyCAF5Cx5wdY2CvUD2Jf20wi2WX
SduOKZP+lPxwe085sSA55qTgHenxeYDAULHQMHrmduQJ6/kLtWeGRHWDGTstidc2
HEtrx0dX9dPFf8QrI1lK479taHsmMy11o+/QVj1Go/3JVbdt/cbl6dBrj4Zef+UI
Hye1fLQWPJR+8yt8Z8jAMBCitOyxFYdb7XJnDJLf7pCIcBix79zutbRCl9g4AECS
X6z2IO6ltJTRFA9MttNXBKyzNSojKQs7JTc9gyhROcDhNNlorMop0Z/SjiM8Fazv
nsCEJtqvzl5cla8jdDp8es4F6D04R1BgMUkjnQSv/nxLkps73fAogyrG0OK1f3QY
sfFWBWOZbBlJiBAulNY9CLCDiBNdQ1uFOh4888fPu/3WT4CbSdbtVvmnxo/ewSxU
ZdJcN4p0bUGRdIywv4pf+gBCBYZ/rrOT+CvAxcroNlpiZnYdM6B5rWteNyzZdP4D
9SK4cUWBgo66id9+iagu0BViB7v+IOGFryYgHq2lwipypZDCEET0hsgu34/AEjxW
RCtYl78pon98mXOq3CtSR+l4SR3Kxg5LWp1iXaRTZ2swNdZokT1SRnYO76o6cVzj
wZ9Ohd9eUA4=
=4Q77
-----END PGP SIGNATURE-----





Reply sent to Bdale Garbee <bdale@gag.com>:
You have taken responsibility. (Thu, 17 Jun 2010 13:57:08 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Thu, 17 Jun 2010 13:57:08 GMT) Full text and rfc822 format available.

Message #20 received at 585394-close@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: 585394-close@bugs.debian.org
Subject: Bug#585394: fixed in sudo 1.6.9p17-3
Date: Thu, 17 Jun 2010 13:52:45 +0000
Source: sudo
Source-Version: 1.6.9p17-3

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:

sudo-ldap_1.6.9p17-3_i386.deb
  to main/s/sudo/sudo-ldap_1.6.9p17-3_i386.deb
sudo_1.6.9p17-3.diff.gz
  to main/s/sudo/sudo_1.6.9p17-3.diff.gz
sudo_1.6.9p17-3.dsc
  to main/s/sudo/sudo_1.6.9p17-3.dsc
sudo_1.6.9p17-3_i386.deb
  to main/s/sudo/sudo_1.6.9p17-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 585394@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 10 Jun 2010 17:30:33 -0600
Source: sudo
Binary: sudo sudo-ldap
Architecture: source i386
Version: 1.6.9p17-3
Distribution: stable-security
Urgency: high
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description: 
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 585394
Changes: 
 sudo (1.6.9p17-3) stable-security; urgency=high
 .
   * Patch from Moritz Muehlenhoff fixing CVE-2010-1646, in which secure path
     could be circumvented, closes: #585394
Checksums-Sha1: 
 8cc1ed02c0d4b6c98a3a1dee14ad7f0f65840ce2 1636 sudo_1.6.9p17-3.dsc
 fe14e8c7141ed7f9d2044fa3a21866f3a6362784 22680 sudo_1.6.9p17-3.diff.gz
 506c110be0252deafc872f14e274174ef6211991 176354 sudo_1.6.9p17-3_i386.deb
 dea5f107b705c7b77dc449d3aab50c6cb2bfa9bf 188014 sudo-ldap_1.6.9p17-3_i386.deb
Checksums-Sha256: 
 bb5393cb5503dc82e9393a680df606b4f14b868bac5d52a33dfaf3dec208faf1 1636 sudo_1.6.9p17-3.dsc
 7668db5af6cb04c7d0614a3b95799d15ace955b900f4d4a6a5e2b525ccb5a0c7 22680 sudo_1.6.9p17-3.diff.gz
 30f6b05218e6de9d4639a98be2bece49f96de923934987d935588656fa6b48d1 176354 sudo_1.6.9p17-3_i386.deb
 81b1c72942f99b98b592f1a62040c59c31836d4485d4cec4b35fcfa92219e946 188014 sudo-ldap_1.6.9p17-3_i386.deb
Files: 
 c9e25ecaf202c03ef25df5ae1ff3f275 1636 admin optional sudo_1.6.9p17-3.dsc
 0dbccca405985efdbad35890d3c3f8a1 22680 admin optional sudo_1.6.9p17-3.diff.gz
 7afb577238bcf9d9b65ca69d70096157 176354 admin optional sudo_1.6.9p17-3_i386.deb
 ce2cad49130d76a8190e9a2171cd8cd4 188014 admin optional sudo-ldap_1.6.9p17-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIVAwUBTBJYkDqTYZbAldlBAQoAmg//RgBIk8GOT22iUXE+WNul3mEofUQCjjKH
ZMZIuC9xk/HCAaY51cVYsXD8UNaACdXm3pD58UFuX5rtsg/FpMLhlVzwi/0i2Ofa
qSmdnA226C+wbfu7CwXN8M3sjTBfX/ufWWsTU9qv1Jd5/96p+ypc8PPvkDwpuFiW
+BCPV6NuGs4IONa+FJHTlTW7AF7/3jVsF1cWFzVh3mHEGfz9tRTHlDBdOsYvHIiV
b8Fhj0oNKLHegpVa86X3vKgJw5WB9/mnUoLyUQeUxsgTy3PdY5QLJNCwUO9sDIqk
b9D2/ui7CmPaUmyqJcI+36ekumDQXcphCMUqdRlFWQQXGJJJ/qsvyJQn8eCcandj
CRdGZfl/7EuVAZbBh/zc1QkLOnGBvYCCbJUYaWthU4d1LpJwH0AAPv+JKQVCnlYi
FRaQgiGWauHCB7M2uK2PM8xDDcY95meSG9SgAbiSE2p6aTWC51GtFBxpgBw7vGUB
c4znXnR17bckBkVyJsBZ/hhFHmUIRiWACDmWP2oyz0tCGFGPhjo/HCMN8qmO8W4x
awZyFRzywNig9nd/E7Yf3xOGYatyc51GcF7dW+OA/51ZNrD1jWGrAvC2YTW0+EgM
A8i8b9i+lbxCKVEvfE6OLcjtyatGBaxYChGVLk5cpqja37GKASVUN1mj7RIZW26H
tBoS1sNSkdE=
=E6P7
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 19 Aug 2010 07:40:08 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 08:48:42 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.