19762 – sudo new security issue CVE-2016-7076

Bug 19762 - sudo new security issue CVE-2016-7076

Summary: sudo new security issue CVE-2016-7076

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/706398/
Whiteboard:	MGA5-32-OK advisory
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2016-11-11 23:01 CET by David Walser
Modified:	2016-11-18 00:41 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	sudo-1.8.17p1-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-11-11 23:01:08 CET

Upstream has issued an advisory on October 26:
https://www.sudo.ws/alerts/noexec_wordexp.html

The issue is fixed in 1.8.18p1:
https://www.sudo.ws/stable.html#1.8.18p1

Freeze push requested for Cauldron.  We could probably just update it for Mageia 5.

Comment 1 David Walser 2016-11-12 00:36:11 CET

Fedora has issued an advisory for this today (November 11):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DBELDP5KT7URCP7P3RQFYBBKPBNLAJY6/

Comment 2 Marja Van Waes 2016-11-12 10:25:00 CET

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

David Walser 2016-11-14 19:35:09 CET

URL: (none) => http://lwn.net/Vulnerabilities/706398/

Comment 3 Nicolas Lécureuil 2016-11-16 16:01:39 CET

available in updates_testing

SRPMS: sudo-1.8.18p1-1.mga5

CC: (none) => mageia
Assignee: pkg-bugs => qa-bugs

Comment 4 David Walser 2016-11-16 16:48:16 CET

Advisory:
========================

Updated sudo packages fix security vulnerability:

It was discovered that the sudo noexec restriction could have been bypassed if
application run via sudo executed wordexp() C library function with a user
supplied argument. A local user permitted to run such application via sudo with
noexec restriction could possibly use this flaw to execute arbitrary commands
with elevated privileges (CVE-2016-7076).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7076
https://www.sudo.ws/alerts/noexec_wordexp.html
https://www.sudo.ws/stable.html#1.8.18p1
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DBELDP5KT7URCP7P3RQFYBBKPBNLAJY6/
========================

Updated packages in core/updates_testing:
========================
sudo-1.8.18p1-1.mga5
sudo-devel-1.8.18p1-1.mga5

from sudo-1.8.18p1-1.mga5.src.rpm

Comment 5 Mike Rambo 2016-11-17 13:58:51 CET

Tested the main sudo package on mga5 32 bit VM.

[mrambo@mga5test ~]$ rpm -qa | grep sudo
sudo-1.8.17p1-1.mga5

[mrambo@mga5test ~]$ sudo vi /etc/group
[sudo] password for mrambo: 

[mrambo@mga5test ~]$ sudo vi /etc/urpmi/urpmi.cfg - no request for pw as it was still cached.

(enabled Updates Testing)

[mrambo@mga5test ~]$ sudo urpmi sudo

[mrambo@mga5test ~]$ rpm -qa | grep sudo
sudo-1.8.18p1-1.mga5

(rebooted)

[mrambo@mga5test ~]$ rpm -qa | grep sudo
sudo-1.8.18p1-1.mga5

[mrambo@mga5test ~]$ sudo urpmi --auto-update
[sudo] password for mrambo: 

[mrambo@mga5test ~]$ sudo urpmi --auto-update - no pw request - still cached.

The updated package looks good to me on 32 bit mga5.

CC: (none) => mrambo
Whiteboard: (none) => MGA5-32-OK

Dave Hodgins 2016-11-17 20:26:11 CET

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2016-11-18 00:41:52 CET

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0389.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.