Bug 26314

Summary: sudo new security issues CVE-2019-1923[24]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, fri, mageia, nicolas.salguero, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: sudo-1.8.28-1.1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-03-06 20:09:06 CET 
Fedora has issued an advisory today (March 6):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/

The issues are fixed upstream in 1.8.30.
David Walser 2020-03-06 20:09:27 CET

Status comment: (none) => Fixed upstream in 1.8.30
CC: (none) => nicolas.salguero

Comment 1 Lewis Smith 2020-03-06 21:22:15 CET 
No registered nor evident maintainer for 'sudo', so assigning globally.

Assignee: bugsquad => pkg-bugs

Morgan Leijström 2020-03-12 12:27:12 CET

CC: (none) => fri

Comment 2 Nicolas Lécureuil 2020-05-23 20:08:14 CEST 
Advisory:
The sudo version provided by mageia 7 is affected by some security issues.
This updates upgrade sudo to version 1.8.31p1 to fix those issues.

Reference:
https://www.sudo.ws/legacy.html

rpms:
sudo-1.8.31p1-1.1.mga7
sudo-devel-1.8.31p1-1.1.mga7


from:
sudo-1.8.31p1-1.1.mga7

Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 1.8.30 => (none)
CC: (none) => mageia

Comment 3 David Walser 2020-05-23 20:15:33 CEST 
Advisory:
========================

Updated sudo packages fix security vulnerabilities:

It was found that sudo always allowed commands to be run with unknown user or
group ids if the sudo configuration allowed it for example via the "ALL" alias.
This could allow sudo to impersonate non-existent account and depending on how
applications are configured, could lead to certain restriction bypass. This is
now explicitly disabled. A new setting called "allow_unknown_runas_id" was
introduced in order to enable this (CVE-2019-19232).

When an account is disabled via the shadow file, by replacing the password hash
with "!", it is not considered disabled by sudo. And depending on the
configuration, sudo can be run by using such disabled account (CVE-2019-19234).

The sudo package has been updated to version 1.8.31p1, fixing these issues and
other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19234
https://www.sudo.ws/legacy.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/
Comment 4 Morgan Leijström 2020-05-24 02:14:43 CEST 
Clean update and sudo still works.  Did not test the vulnerability.
Comment 5 Thomas Andrews 2020-05-31 15:41:39 CEST 
I don't use sudo myself, but I think that's enough, Morgan. Thanks.

OKing and validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK

Nicolas Lécureuil 2020-06-10 23:25:16 CEST

Keywords: (none) => advisory

Comment 6 Mageia Robot 2020-06-11 00:27:33 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0246.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED