Bug 9207 - sudo new security issues CVE-2013-1775 and CVE-2013-1776
: sudo new security issues CVE-2013-1775 and CVE-2013-1776
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/540474/
: MGA2-64-OK MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-02-28 19:41 CET by David Walser
Modified: 2013-10-01 20:57 CEST (History)
3 users (show)

See Also:
Source RPM: sudo-1.8.3p2-2.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-02-28 19:41:40 CET
Ubuntu has issued an advisory today (February 28):
http://www.ubuntu.com/usn/usn-1754-1/

This fixes CVE-2013-1775, which they rated as a high severity issue.

Upstream has issued the 1.8.6p7 release, which fixes this issue, as well as
CVE-2013-1776, which RedHat has rated as a low severity issue:
http://www.sudo.ws/sudo/stable.html
https://bugzilla.redhat.com/show_bug.cgi?id=916365

Freeze push requested for Cauldron.

Patched package uploaded for Mageia 2.

Advisory:
========================

Updated sudo packages fix security vulnerabilities:

Marco Schoepl discovered that Sudo incorrectly handled time stamp files
when the system clock is set to epoch. A local attacker could use this
issue to run Sudo commands without a password prompt (CVE-2013-1775).

Sudo before 1.8.6p7 allows a malicious user to run commands via sudo
without authenticating, so long as there exists a terminal the user has
access to where a sudo command was successfully run by that same user
within the password timeout period (usually five minutes) (CVE-2013-1776).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1775
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1776
http://www.sudo.ws/sudo/alerts/epoch_ticket.html
http://www.sudo.ws/sudo/alerts/tty_tickets.html
http://www.ubuntu.com/usn/usn-1754-1/
========================

Updated packages in core/updates_testing:
========================
sudo-1.8.3p2-2.1.mga2
sudo-devel-1.8.3p2-2.1.mga2

from sudo-1.8.3p2-2.1.mga2.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-02-28 22:00:08 CET
1.8.6p7 is now pushed in Cauldron.
Comment 2 Dave Hodgins 2013-02-28 22:36:30 CET
I couldn't recreate the problem, and if I understand it correctly,
after resetting the time to the epoch, the sudo command would have
to be entered within one second. so I'm just testing that the
updated package works.

Testing complete on Mageia 2 i586 and x86_64.

Could someone from the sysadmin team push the srpm
sudo-1.8.3p2-2.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated sudo packages fix security vulnerabilities:

Marco Schoepl discovered that Sudo incorrectly handled time stamp files
when the system clock is set to epoch. A local attacker could use this
issue to run Sudo commands without a password prompt (CVE-2013-1775).

Sudo before 1.8.6p7 allows a malicious user to run commands via sudo
without authenticating, so long as there exists a terminal the user has
access to where a sudo command was successfully run by that same user
within the password timeout period (usually five minutes) (CVE-2013-1776).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1775
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1776
http://www.sudo.ws/sudo/alerts/epoch_ticket.html
http://www.sudo.ws/sudo/alerts/tty_tickets.html
http://www.ubuntu.com/usn/usn-1754-1/

https://bugs.mageia.org/show_bug.cgi?id=9207
Comment 3 Thomas Backlund 2013-03-01 22:29:41 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0078
Comment 4 David Walser 2013-10-01 20:57:28 CEST
CVE-2013-1776 has now been split and there's a CVE-2013-2776 associated with it as well.  The reasons for the split are unclear.  Regardless, we've already fixed it.

http://lwn.net/Vulnerabilities/569024/

Note You need to log in before you can comment on or make changes to this bug.