Bug 28067

Summary: sudo new security issues fixed upstream in 1.9.5 (including CVE-2021-23239, CVE-2021-23240)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, joequant, mageia, nicolas.salguero, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: sudo-1.8.31p1-1.1.mga7.src.rpm CVE: CVE-2021-23239, CVE-2021-23240
Status comment:

Description David Walser 2021-01-11 23:34:13 CET 
Sudo 1.9.5 has been released today (January 11):
https://www.sudo.ws/stable.html

Some issues were detailed here:
https://www.openwall.com/lists/oss-security/2021/01/11/2

but there were also others.  We should probably just update it.

Freeze push pending in Cauldron.
Comment 1 Aurelien Oudelet 2021-01-12 14:49:17 CET 
Hi, thanks for reporting this.
As there is no maintainer for this package I added the committers in CC.

(Please set the status to 'assigned' if you are working on it)

Assignee: bugsquad => pkg-bugs
CC: (none) => joequant, mageia, ouaurelien

Comment 2 Nicolas Salguero 2021-01-15 09:53:43 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path. (CVE-2021-23239)

selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows a local unprivileged user to gain file ownership and escalate privileges by replacing a temporary file with a symlink to an arbitrary file target. This affects SELinux RBAC support in permissive mode. Machines without SELinux are not vulnerable. (CVE-2021-23240)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23239
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23240
https://www.openwall.com/lists/oss-security/2021/01/11/2
https://www.sudo.ws/stable.html
========================

Updated packages in core/updates_testing:
========================
sudo-1.9.5-1.mga7
sudo-devel-1.9.5-1.mga7

from SRPM:
sudo-1.9.5-1.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2021-23239, CVE-2021-23240

Comment 3 Thomas Andrews 2021-01-15 18:59:34 CET 
No installation issues.

Tested for basic functionality. Ran several commands using sudo, some valid some purposely not valid, all performed as expected.

Looks OK. Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => validated_update

Comment 4 Aurelien Oudelet 2021-01-17 15:25:29 CET 
Advisory pushed to SVN.

Keywords: (none) => advisory

Comment 5 Mageia Robot 2021-01-17 17:08:42 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0042.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED