Bug 18989

Summary: sudo new security issue CVE-2015-8239
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, makowski.mageia, marja11, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/694789/
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Source RPM: sudo-1.8.15-3.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-07-19 16:43:01 CEST 
Fedora has issued an advisory on July 16:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BLFXPDF67QZECU6EMPWYU4FGK6PNZ3M4/

It appears that they fixed it by upgrading to 1.8.17p1.

The RedHat bug links some commits related to this:
https://bugzilla.redhat.com/show_bug.cgi?id=1283635

Mageia 5 is also affected.
David Walser 2016-07-19 16:43:08 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-07-20 18:48:31 CEST 
Assigning to all packagers collectively, since there is no maintainer for this package.

CC: (none) => makowski.mageia, marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2016-07-22 16:57:23 CEST 
Freeze push requested for Cauldron for 1.8.17p1.  Also checked into Mageia 5 SVN.

https://www.sudo.ws/stable.html
Comment 3 David Walser 2016-07-22 21:06:43 CEST 
Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated sudo packages fix security vulnerability:

A vulnerability in functionality for adding support of SHA-2 digests along with
the command was found. The sudoers plugin performs this digest verification
while matching rules, and later independently calls execve() to execute the
binary. This results in a race condition if the digest functionality is used as
suggested (in fact, the rules are matched before the user is prompted for a
password, so there is not negligible time frame to replace the binary from
underneath sudo) (CVE-2015-8239).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8239
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BLFXPDF67QZECU6EMPWYU4FGK6PNZ3M4/
========================

Updated packages in core/updates_testing:
========================
sudo-1.8.17p1-1.mga5
sudo-devel-1.8.17p1-1.mga5

from sudo-1.8.17p1-1.mga5.src.rpm

Version: Cauldron => 5
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 4 David Walser 2016-07-24 00:44:49 CEST 
Tested it on two servers at work, one Mageia 5 i586 and the other Mageia 5 x86_64.  It still works fine.

Whiteboard: (none) => MGA5-32-OK MGA5-64-OK

Dave Hodgins 2016-07-26 22:52:21 CEST

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 5 Mageia Robot 2016-07-26 23:17:04 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0261.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 6 David Walser 2016-08-24 16:01:59 CEST 
Another commit in this update:
r1020459 | luigiwalser | 2016-06-06 12:41:06 -0400 (Mon, 06 Jun 2016) | 1 line

remove INPUTRC from env_keep due to possible info leak (rhbz#1339935)

fixed an issue that has just received a CVE request:
http://www.openwall.com/lists/oss-security/2016/08/24/1
Comment 7 David Walser 2016-08-25 17:10:33 CEST 
(In reply to David Walser from comment #6)
> Another commit in this update:
> r1020459 | luigiwalser | 2016-06-06 12:41:06 -0400 (Mon, 06 Jun 2016) | 1
> line
> 
> remove INPUTRC from env_keep due to possible info leak (rhbz#1339935)
> 
> fixed an issue that has just received a CVE request:
> http://www.openwall.com/lists/oss-security/2016/08/24/1

This received CVE-2016-7091:
http://openwall.com/lists/oss-security/2016/08/25/2
Comment 8 David Walser 2016-11-04 16:10:24 CET 
LWN reference for CVE-2016-7091:
http://lwn.net/Vulnerabilities/705575/