Upstream has issued an advisory today (February 9): http://www.sudo.ws/alerts/tz.html A CVE has been requested: http://openwall.com/lists/oss-security/2015/02/09/12 Looking at the changes since 1.8.10p3: http://www.sudo.ws/sudo/stable.html there's bug fixes, regression fixes, translation updates, and some other changes, but it looks like it should be OK to update. However, the new shared library they added, libsudo_util, causes a linking error when trying to build it. Mageia 4 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
CVE-2014-9680 has been assigned: http://openwall.com/lists/oss-security/2015/02/12/13
Summary: sudo new security issue fixed upstream in 1.8.12 => sudo new security issue fixed upstream in 1.8.12 (CVE-2014-9680)
Updated packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated sudo packages fix security vulnerability: Prior to sudo 1.8.12, the TZ environment variable was passed through unchecked. Most libc tzset() implementations support passing an absolute pathname in the time zone to point to an arbitrary, user-controlled file. This may be used to exploit bugs in the C library's TZ parser or open files the user would not otherwise have access to. Arbitrary file access via TZ could also be used in a denial of service attack by reading from a file or fifo that will block (CVE-2014-9680). The sudo package has been updated to version 1.8.12, fixing this issue and several other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9680 http://www.sudo.ws/alerts/tz.html http://www.sudo.ws/sudo/stable.html ======================== Updated packages in core/updates_testing: ======================== sudo-1.8.12-1.mga4 sudo-devel-1.8.12-1.mga4 from sudo-1.8.12-1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA4TOO => (none)
In VirtualBox, M4, KDE, 32-bit Package(s) under test: sudo default install of sudo [root@localhost wilcal]# urpmi sudo Package sudo-1.8.8-3.mga4.i586 is already installed open a terminal [wilcal@localhost ~]$ su - Password: xxxxxxxx [root@localhost ~]# dolphin ( opens dolphin as root ) [root@localhost ~]# kwrite ( opens kwrite as root ) and many other commands as root work. install sudo from updates_testing [root@localhost wilcal]# urpmi sudo Package sudo-1.8.12-1.mga4.i586 is already installed open a terminal [wilcal@localhost ~]$ su - Password: xxxxxxxx [root@localhost ~]# dolphin ( opens dolphin as root ) [root@localhost ~]# kwrite ( opens kwrite as root ) and many other commands as root work. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
This update is for sudo, not util-linux (where su comes from).
(In reply to David Walser from comment #4) > This update is for sudo, not util-linux (where su comes from). You got a couple three simple sudo commands that will ensure this got updated properly?
Yep. https://wiki.mageia.org/en/Configuring_sudo
Whiteboard: (none) => has_procedure
URL: (none) => http://lwn.net/Vulnerabilities/633637/
In VirtualBox, M4, KDE, 32-bit Package(s) under test: sudo [root@localhost wilcal]# urpmi sudo Package sudo-1.8.12-1.mga4.i586 is already installed I was able to create /etc/sudoers.d/01wheel using: echo "%wheel ALL=(ALL) ALL" > /etc/sudoers.d/01wheel chmod 440 /etc/sudoers.d/01wheel I added user wical to the wheel group using: MCC -> System -> Manage users on System -> select user -> Edit -> in a terminal: [wilcal@localhost ~]$ sudo -i [sudo] password for wilcal: xxxxx [root@localhost ~]# urpmi sudo Package sudo-1.8.12-1.mga4.i586 is already installed Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
In VirtualBox, M4, KDE, 64-bit Package(s) under test: sudo default install of sudo [root@localhost wilcal]# urpmi sudo Package sudo-1.8.8-3.mga4.x86_64 is already installed install sudo from updates_testing [root@localhost wilcal]# urpmi sudo Package sudo-1.8.12-1.mga4.x86_64 is already installed I was able to create /etc/sudoers.d/01wheel using: echo "%wheel ALL=(ALL) ALL" > /etc/sudoers.d/01wheel chmod 440 /etc/sudoers.d/01wheel I added user wical to the wheel group using: MCC -> System -> Manage users on System -> select user -> Edit -> in a terminal: [wilcal@localhost ~]$ sudo -i [sudo] password for wilcal: xxxxx [root@localhost ~]# urpmi sudo Package sudo-1.8.12-1.mga4.x86_64 is already installed Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
If this looks good to you David I'll validate it.
Sure, go ahead. Thanks.
This update works fine. Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure => has_procedure MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
You could instead have added your user in /etc/sudoers Bill, there is a tool to edit that file with called visudo, based on vi. The wheel group is useful for a multiuser system though. Advisory uploaded.
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
You could use a different group than wheel, as that has other implications, but you really shouldn't use visudo or edit /etc/sudoers, that's why the wiki page is written the way it is. That file is owned by the package, and you'll have to reintegrate your changes into the rpmnew file if the file changes in the package. That's why sudo has the dropins directory /etc/sudoers.d, and generally such dropin directories should be used when available. It sounds like the new version of sudo has a way to fix visudo to use a file in the dropins directory. Hopefully someone can figure this out so that we can fix it in the package.
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0079.html
Status: NEW => RESOLVEDResolution: (none) => FIXED