Ubuntu has issued an advisory on May 16: http://www.ubuntu.com/usn/usn-1442-1/ Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-2337 http://www.sudo.ws/sudo/alerts/netmask.html Cauldron is also affected. I have committed the patch in Cauldron and Mageia 1 SVN. I guess we have to wait until Mageia 2 is branched to push to the build system.
Mandriva has issued an advisory for this today (May 21): http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:079
Patched packages uploaded for Mageia 1, Mageia 2, and Cauldron. Advisory: ======================== Updated sudo packages fix security vulnerabilities: A flaw exists in the IP network matching code in sudo versions 1.6.9p3 through 1.8.4p4 that may result in the local host being matched even though it is not actually part of the network described by the IP address and associated netmask listed in the sudoers file or in LDAP. As a result, users authorized to run commands on certain IP networks may be able to run commands on hosts that belong to other networks not explicitly listed in sudoers (CVE-2012-2337). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2337 http://www.sudo.ws/sudo/alerts/netmask.html http://www.ubuntu.com/usn/usn-1442-1/ http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:079 ======================== Updated packages in core/updates_testing: ======================== sudo-1.8.0-6.mga1 sudo-devel-1.8.0-6.mga1 sudo-1.8.3p2-2.mga2 sudo-devel-1.8.3p2-2.mga2 from SRPMS: sudo-1.8.0-6.mga1.src.rpm sudo-1.8.3p2-2.mga2.src.rpm
Assignee: bugsquad => qa-bugs
mga1 x86_64, ok for me.
Hardware: i586 => All
It's working fine here, on i586 mga 1. I haven't tried to recreate the bug, as it's not clear to me how to configure sudo to recreate it, so just testing that my normal usage of sudo is working. As both Mageia 1 and Mageia 2 updates are being included in one bug report (they're supposed to be split), validating the update will have to wait until Mageia 2 testing is also complete on both platforms.
CC: (none) => davidwhodgins
Whiteboard: (none) => mga1-64-OK, mga1-i586-OK
Works correctly here on mga 2 x86_64. Made a vain attempt at trying to reproduce the bug, but my network is far too simple.
CC: (none) => fcsWhiteboard: mga1-64-OK, mga1-i586-OK => mga1-64-OK, mga1-i586-OK, mga2-64-OK
Validating the update. Could someone from the sysadmin team push the srpm sudo-1.8.0-6.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates, and the srpm sudo-1.8.3p2-2.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates, Advisory: Updated sudo packages fix security vulnerabilities: A flaw exists in the IP network matching code in sudo versions 1.6.9p3 through 1.8.4p4 that may result in the local host being matched even though it is not actually part of the network described by the IP address and associated netmask listed in the sudoers file or in LDAP. As a result, users authorized to run commands on certain IP networks may be able to run commands on hosts that belong to other networks not explicitly listed in sudoers (CVE-2012-2337). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2337 http://www.sudo.ws/sudo/alerts/netmask.html http://www.ubuntu.com/usn/usn-1442-1/ http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:079 https://bugs.mageia.org/show_bug.cgi?id=5960
CC: (none) => sysadmin-bugsWhiteboard: mga1-64-OK, mga1-i586-OK, mga2-64-OK => mga1-64-OK, mga1-i586-OK, mga2-64-OK, mga2-i586-OK , validated_update
Keywords: (none) => validated_updateWhiteboard: mga1-64-OK, mga1-i586-OK, mga2-64-OK, mga2-i586-OK , validated_update => mga1-64-OK, mga1-32-OK, mga2-64-OK, mga2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0110
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED