Bug 26314 - sudo new security issues CVE-2019-1923[24]
Summary: sudo new security issues CVE-2019-1923[24]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-03-06 20:09 CET by David Walser
Modified: 2020-06-11 00:27 CEST (History)
5 users (show)

See Also:
Source RPM: sudo-1.8.28-1.1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-03-06 20:09:06 CET
Fedora has issued an advisory today (March 6):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/

The issues are fixed upstream in 1.8.30.
David Walser 2020-03-06 20:09:27 CET

Status comment: (none) => Fixed upstream in 1.8.30
CC: (none) => nicolas.salguero

Comment 1 Lewis Smith 2020-03-06 21:22:15 CET
No registered nor evident maintainer for 'sudo', so assigning globally.

Assignee: bugsquad => pkg-bugs

Morgan Leijström 2020-03-12 12:27:12 CET

CC: (none) => fri

Comment 2 Nicolas Lécureuil 2020-05-23 20:08:14 CEST
Advisory:
The sudo version provided by mageia 7 is affected by some security issues.
This updates upgrade sudo to version 1.8.31p1 to fix those issues.

Reference:
https://www.sudo.ws/legacy.html

rpms:
sudo-1.8.31p1-1.1.mga7
sudo-devel-1.8.31p1-1.1.mga7


from:
sudo-1.8.31p1-1.1.mga7

Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 1.8.30 => (none)
CC: (none) => mageia

Comment 3 David Walser 2020-05-23 20:15:33 CEST
Advisory:
========================

Updated sudo packages fix security vulnerabilities:

It was found that sudo always allowed commands to be run with unknown user or
group ids if the sudo configuration allowed it for example via the "ALL" alias.
This could allow sudo to impersonate non-existent account and depending on how
applications are configured, could lead to certain restriction bypass. This is
now explicitly disabled. A new setting called "allow_unknown_runas_id" was
introduced in order to enable this (CVE-2019-19232).

When an account is disabled via the shadow file, by replacing the password hash
with "!", it is not considered disabled by sudo. And depending on the
configuration, sudo can be run by using such disabled account (CVE-2019-19234).

The sudo package has been updated to version 1.8.31p1, fixing these issues and
other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19234
https://www.sudo.ws/legacy.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/
Comment 4 Morgan Leijström 2020-05-24 02:14:43 CEST
Clean update and sudo still works.  Did not test the vulnerability.
Comment 5 Thomas Andrews 2020-05-31 15:41:39 CEST
I don't use sudo myself, but I think that's enough, Morgan. Thanks.

OKing and validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK

Nicolas Lécureuil 2020-06-10 23:25:16 CEST

Keywords: (none) => advisory

Comment 6 Mageia Robot 2020-06-11 00:27:33 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0246.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.