Bug 4348

Summary: CVE 2012-0809: Sudo format string vulnerability
Product: Mageia Reporter: Nicolas Vigier <boklm>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: High CC: sysadmin-bugs
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: sudo CVE:
Status comment:

Description Nicolas Vigier 2012-01-30 18:34:32 CET 
Sudo format string vulnerability :
http://www.sudo.ws/sudo/alerts/sudo_debug.html

An updated package has been submitted to updates_testing for mageia 1 to fix this issue.

How to test this vulnerability :
    $ ln -s /usr/bin/sudo ./%s
    $ ./%s -D9
    Segmentation fault
Nicolas Vigier 2012-01-30 18:34:40 CET

Priority: Normal => High

Comment 1 claire robinson 2012-01-30 18:53:18 CET 
Testing x86_64

Confirmed segfault

Mirror hasn't updated yet to test the new version.
Comment 2 Nicolas Vigier 2012-01-30 18:59:12 CET 
Advisory text for the update :
A flaw discovered by joernchen of Phenoelit exists in the debugging code in sudo versions 1.8.0 through 1.8.3p1 that can be used to crash sudo or potentially allow an unauthorized user to elevate privileges. This update fix this issue.
Comment 3 claire robinson 2012-01-30 19:06:46 CET 
Using a different mirror. Tested OK x86_64 - gives usage information.
Comment 4 claire robinson 2012-01-30 19:11:54 CET 
Tested OK i586

Update validated

SRPM: sudo-1.8.0-5.mga1.src.rpm

Comment 2 for advisory


Could sysadmin please push to updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Nicolas Vigier 2012-01-30 19:19:00 CET 
Updated packages have been pushed to updates repository.

Status: NEW => RESOLVED
Resolution: (none) => FIXED