Fedora has issued an advisory on November 8: https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171024.html The patch is linked in the RedHat bug, but doesn't appear to be backportable: https://bugzilla.redhat.com/show_bug.cgi?id=1277426 The issue is fixed upstream in 1.8.15. Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated sudo packages fix security vulnerability: An unauthorized privilege escalation was found in sudoedit in sudo before 1.8.15 when a user is granted with root access to modify a particular file that could be located in a subset of directories. It seems that sudoedit does not check the full path if a wildcard is used twice (e.g. /home/*/*/file.txt), allowing a malicious user to replace the file.txt real file with a symbolic link to a different location (e.g. /etc/shadow), which results in unauthorized access (CVE-2015-5602). The sudo package has been updated to version 1.8.15, which fixes this issue, and also includes many other bug fixes and changes. See the upstream change log for details. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5602 http://www.sudo.ws/stable.html#1.8.15 https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171024.html ======================== Updated packages in core/updates_testing: ======================== sudo-1.8.15-1.mga5 sudo-devel-1.8.15-1.mga5 from sudo-1.8.15-1.mga5.src.rpm Reproducible: Steps to Reproduce:
Basic sudo setup if you haven't used it before: https://wiki.mageia.org/en/Configuring_sudo
$ sudo echo rpm -q sudo [sudo] password for claire: sudo-1.8.15-1.mga5
Whiteboard: (none) => has_procedure mga5-64-ok
OOps copy/paste error.. $ sudo rpm -q sudo [sudo] password for claire: sudo-1.8.15-1.mga5 $ sudo echo "slaps self" slaps self $ sudo whoami root
In VirtualBox, M5, KDE, 32-bit Package(s) under test: sudo default install of sudo [root@localhost wilcal]# urpmi sudo Package sudo-1.8.12-2.mga5.i586 is already installed [root@localhost wilcal]# sudo rpm -q sudo sudo-1.8.12-2.mga5 [root@localhost wilcal]# sudo echo "slaps self" slaps self [root@localhost wilcal]# sudo whoami root install sudo from updates_testing [root@localhost wilcal]# urpmi sudo Package sudo-1.8.15-1.mga5.i586 is already installed [root@localhost wilcal]# sudo rpm -q sudo sudo-1.8.15-1.mga5 [root@localhost wilcal]# sudo echo "slaps self" slaps self [root@localhost wilcal]# sudo whoami root
CC: (none) => wilcal.int
Whiteboard: has_procedure mga5-64-ok => has_procedure mga5-32-ok mga5-64-ok
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: has_procedure mga5-32-ok mga5-64-ok => has_procedure mga5-32-ok mga5-64-ok advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0443.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Upstream has issued an advisory on October 26, 2016: https://www.sudo.ws/alerts/noexec_bypass.html LWN reference: http://lwn.net/Vulnerabilities/706476/ That issue, CVE-2016-7032, was also fixed by this update.