Bug 17117

Summary: sudo new security issue CVE-2015-5602
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/663793/
Whiteboard: has_procedure mga5-32-ok mga5-64-ok advisory
Source RPM: sudo-1.8.12-2.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-11-09 21:54:32 CET 
Fedora has issued an advisory on November 8:
https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171024.html

The patch is linked in the RedHat bug, but doesn't appear to be backportable:
https://bugzilla.redhat.com/show_bug.cgi?id=1277426

The issue is fixed upstream in 1.8.15.

Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated sudo packages fix security vulnerability:

An unauthorized privilege escalation was found in sudoedit in sudo before
1.8.15 when a user is granted with root access to modify a particular file
that could be located in a subset of directories. It seems that sudoedit does
not check the full path if a wildcard is used twice (e.g. /home/*/*/file.txt),
allowing a malicious user to replace the file.txt real file with a symbolic
link to a different location (e.g. /etc/shadow), which results in
unauthorized access (CVE-2015-5602).

The sudo package has been updated to version 1.8.15, which fixes this issue,
and also includes many other bug fixes and changes.  See the upstream change
log for details.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5602
http://www.sudo.ws/stable.html#1.8.15
https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171024.html
========================

Updated packages in core/updates_testing:
========================
sudo-1.8.15-1.mga5
sudo-devel-1.8.15-1.mga5

from sudo-1.8.15-1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-11-09 21:54:52 CET 
Basic sudo setup if you haven't used it before:
https://wiki.mageia.org/en/Configuring_sudo
Comment 2 claire robinson 2015-11-10 09:48:21 CET 
$ sudo echo rpm -q sudo
[sudo] password for claire: 
sudo-1.8.15-1.mga5

Whiteboard: (none) => has_procedure mga5-64-ok

Comment 3 claire robinson 2015-11-10 09:50:05 CET 
OOps copy/paste error..

$ sudo rpm -q sudo
[sudo] password for claire: 
sudo-1.8.15-1.mga5

$ sudo echo "slaps self"
slaps self

$ sudo whoami
root
Comment 4 William Kenney 2015-11-10 17:26:09 CET 
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
sudo

default install of sudo

[root@localhost wilcal]# urpmi sudo
Package sudo-1.8.12-2.mga5.i586 is already installed

[root@localhost wilcal]# sudo rpm -q sudo
sudo-1.8.12-2.mga5
[root@localhost wilcal]# sudo echo "slaps self"
slaps self
[root@localhost wilcal]# sudo whoami
root

install sudo from updates_testing

[root@localhost wilcal]# urpmi sudo
Package sudo-1.8.15-1.mga5.i586 is already installed

[root@localhost wilcal]# sudo rpm -q sudo
sudo-1.8.15-1.mga5
[root@localhost wilcal]# sudo echo "slaps self"
slaps self
[root@localhost wilcal]# sudo whoami
root

CC: (none) => wilcal.int

William Kenney 2015-11-10 17:26:32 CET

Whiteboard: has_procedure mga5-64-ok => has_procedure mga5-32-ok mga5-64-ok

Comment 5 William Kenney 2015-11-10 17:26:58 CET 
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2015-11-10 20:40:04 CET

CC: (none) => davidwhodgins
Whiteboard: has_procedure mga5-32-ok mga5-64-ok => has_procedure mga5-32-ok mga5-64-ok advisory

Comment 6 Mageia Robot 2015-11-10 22:27:38 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0443.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 7 David Walser 2016-11-15 20:45:24 CET 
Upstream has issued an advisory on October 26, 2016:
https://www.sudo.ws/alerts/noexec_bypass.html

LWN reference:
http://lwn.net/Vulnerabilities/706476/

That issue, CVE-2016-7032, was also fixed by this update.