Ubuntu has issued an advisory today (February 28): http://www.ubuntu.com/usn/usn-1754-1/ This fixes CVE-2013-1775, which they rated as a high severity issue. Upstream has issued the 1.8.6p7 release, which fixes this issue, as well as CVE-2013-1776, which RedHat has rated as a low severity issue: http://www.sudo.ws/sudo/stable.html https://bugzilla.redhat.com/show_bug.cgi?id=916365 Freeze push requested for Cauldron. Patched package uploaded for Mageia 2. Advisory: ======================== Updated sudo packages fix security vulnerabilities: Marco Schoepl discovered that Sudo incorrectly handled time stamp files when the system clock is set to epoch. A local attacker could use this issue to run Sudo commands without a password prompt (CVE-2013-1775). Sudo before 1.8.6p7 allows a malicious user to run commands via sudo without authenticating, so long as there exists a terminal the user has access to where a sudo command was successfully run by that same user within the password timeout period (usually five minutes) (CVE-2013-1776). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1775 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1776 http://www.sudo.ws/sudo/alerts/epoch_ticket.html http://www.sudo.ws/sudo/alerts/tty_tickets.html http://www.ubuntu.com/usn/usn-1754-1/ ======================== Updated packages in core/updates_testing: ======================== sudo-1.8.3p2-2.1.mga2 sudo-devel-1.8.3p2-2.1.mga2 from sudo-1.8.3p2-2.1.mga2.src.rpm Reproducible: Steps to Reproduce:
1.8.6p7 is now pushed in Cauldron.
I couldn't recreate the problem, and if I understand it correctly, after resetting the time to the epoch, the sudo command would have to be entered within one second. so I'm just testing that the updated package works. Testing complete on Mageia 2 i586 and x86_64. Could someone from the sysadmin team push the srpm sudo-1.8.3p2-2.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated sudo packages fix security vulnerabilities: Marco Schoepl discovered that Sudo incorrectly handled time stamp files when the system clock is set to epoch. A local attacker could use this issue to run Sudo commands without a password prompt (CVE-2013-1775). Sudo before 1.8.6p7 allows a malicious user to run commands via sudo without authenticating, so long as there exists a terminal the user has access to where a sudo command was successfully run by that same user within the password timeout period (usually five minutes) (CVE-2013-1776). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1775 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1776 http://www.sudo.ws/sudo/alerts/epoch_ticket.html http://www.sudo.ws/sudo/alerts/tty_tickets.html http://www.ubuntu.com/usn/usn-1754-1/ https://bugs.mageia.org/show_bug.cgi?id=9207
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: (none) => MGA2-64-OK MGA2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0078
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
CVE-2013-1776 has now been split and there's a CVE-2013-2776 associated with it as well. The reasons for the split are unclear. Regardless, we've already fixed it. http://lwn.net/Vulnerabilities/569024/