Bug 19762

Summary: sudo new security issue CVE-2016-7076
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, mageia, marja11, mhrambo3501, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/706398/
Whiteboard: MGA5-32-OK advisory
Source RPM: sudo-1.8.17p1-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-11-11 23:01:08 CET 
Upstream has issued an advisory on October 26:
https://www.sudo.ws/alerts/noexec_wordexp.html

The issue is fixed in 1.8.18p1:
https://www.sudo.ws/stable.html#1.8.18p1

Freeze push requested for Cauldron.  We could probably just update it for Mageia 5.
Comment 1 David Walser 2016-11-12 00:36:11 CET 
Fedora has issued an advisory for this today (November 11):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DBELDP5KT7URCP7P3RQFYBBKPBNLAJY6/
Comment 2 Marja Van Waes 2016-11-12 10:25:00 CET 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

David Walser 2016-11-14 19:35:09 CET

URL: (none) => http://lwn.net/Vulnerabilities/706398/

Comment 3 Nicolas Lécureuil 2016-11-16 16:01:39 CET 
available in updates_testing

SRPMS: sudo-1.8.18p1-1.mga5

CC: (none) => mageia
Assignee: pkg-bugs => qa-bugs

Comment 4 David Walser 2016-11-16 16:48:16 CET 
Advisory:
========================

Updated sudo packages fix security vulnerability:

It was discovered that the sudo noexec restriction could have been bypassed if
application run via sudo executed wordexp() C library function with a user
supplied argument. A local user permitted to run such application via sudo with
noexec restriction could possibly use this flaw to execute arbitrary commands
with elevated privileges (CVE-2016-7076).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7076
https://www.sudo.ws/alerts/noexec_wordexp.html
https://www.sudo.ws/stable.html#1.8.18p1
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DBELDP5KT7URCP7P3RQFYBBKPBNLAJY6/
========================

Updated packages in core/updates_testing:
========================
sudo-1.8.18p1-1.mga5
sudo-devel-1.8.18p1-1.mga5

from sudo-1.8.18p1-1.mga5.src.rpm
Comment 5 Mike Rambo 2016-11-17 13:58:51 CET 
Tested the main sudo package on mga5 32 bit VM.

[mrambo@mga5test ~]$ rpm -qa | grep sudo
sudo-1.8.17p1-1.mga5

[mrambo@mga5test ~]$ sudo vi /etc/group
[sudo] password for mrambo: 

[mrambo@mga5test ~]$ sudo vi /etc/urpmi/urpmi.cfg - no request for pw as it was still cached.

(enabled Updates Testing)

[mrambo@mga5test ~]$ sudo urpmi sudo

[mrambo@mga5test ~]$ rpm -qa | grep sudo
sudo-1.8.18p1-1.mga5

(rebooted)

[mrambo@mga5test ~]$ rpm -qa | grep sudo
sudo-1.8.18p1-1.mga5

[mrambo@mga5test ~]$ sudo urpmi --auto-update
[sudo] password for mrambo: 

[mrambo@mga5test ~]$ sudo urpmi --auto-update - no pw request - still cached.

The updated package looks good to me on 32 bit mga5.

CC: (none) => mrambo
Whiteboard: (none) => MGA5-32-OK

Dave Hodgins 2016-11-17 20:26:11 CET

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2016-11-18 00:41:52 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0389.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED