Re: [SECURITY] [DSA 596-1] New sudo packages fix privilege escalation
Must be something in your environment, I don't get anything of the sort.
Ramon Kagan
York University, Computing and Network Services
Information Security - Senior Information Security Analyst
(416)736-2100 #20263
rkagan@yorku.ca
----------------------------------- ------------------------------------
I have not failed. I have just I don't know the secret to success,
found 10,000 ways that don't work. but the secret to failure is
trying to please everybody.
- Thomas Edison - Bill Cosby
----------------------------------- ------------------------------------
On Wed, 24 Nov 2004, David wrote:
> Hi Martin,
>
> This fix prints a bunch of debugging messages on sudo. Has it been tested!?
>
> David
>
> Martin Schulze wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > - --------------------------------------------------------------------------
> > Debian Security Advisory DSA 596-1 security@debian.org
> > http://www.debian.org/security/ Martin Schulze
> > November 24th, 2004 http://www.debian.org/security/faq
> > - --------------------------------------------------------------------------
> >
> > Package : sudo
> > Vulnerability : missing input sanitising
> > Problem-Type : local
> > Debian-specific: no
> > CVE ID : CAN-2004-1051
> > Debian Bug : 281665
> >
> > Liam Helmer noticed that sudo, a program that provides limited super
> > user privileges to specific users, does not clean the environment
> > sufficiently. Bash functions and the CDPATH variable are still passed
> > through to the program running as privileged user, leaving
> > possibilities to overload system routines. These vulnerabilities can
> > only be exploited by users who have been granted limited super user
> > privileges.
> >
> > For the stable distribution (woody) these problems have been fixed in
> > version 1.6.6-1.2.
> >
> > For the unstable distribution (sid) these problems have been fixed in
> > version 1.6.8p3.
> >
> > We recommend that you upgrade your sudo package.
> >
> >
> > Upgrade Instructions
> > - --------------------
> >
> > wget url
> > will fetch the file for you
> > dpkg -i file.deb
> > will install the referenced file.
> >
> > If you are using the apt-get package manager, use the line for
> > sources.list as given below:
> >
> > apt-get update
> > will update the internal database
> > apt-get upgrade
> > will install corrected packages
> >
> > You may use an automated update by adding the resources from the
> > footer to the proper configuration.
> >
> >
> > Debian GNU/Linux 3.0 alias woody
> > - --------------------------------
> >
> > Source archives:
> >
> > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2.dsc
> > Size/MD5 checksum: 587 b4750887bf910de5d8bc4d4ef3f71b3b
> > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2.diff.gz
> > Size/MD5 checksum: 12251 e138445e17adf6eec25035bb8c1ef0c9
> > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6.orig.tar.gz
> > Size/MD5 checksum: 333074 4da4bf6cf31634cc7a17ec3b69fdc333
> >
> > Alpha architecture:
> >
> > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_alpha.deb
> > Size/MD5 checksum: 151386 841c5cfa5405fbef08d95fb7fcd50364
> >
> > ARM architecture:
> >
> > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_arm.deb
> > Size/MD5 checksum: 141442 46d1faa34df223b014c3131879ccadff
> >
> > Intel IA-32 architecture:
> >
> > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_i386.deb
> > Size/MD5 checksum: 135076 687519f374ef803d532e1a2c966322a6
> >
> > Intel IA-64 architecture:
> >
> > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_ia64.deb
> > Size/MD5 checksum: 172442 8e0f391e39197f7911069210dae06da7
> >
> > HP Precision architecture:
> >
> > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_hppa.deb
> > Size/MD5 checksum: 147512 b32938d0bf2d681b4556c64d7071187a
> >
> > Motorola 680x0 architecture:
> >
> > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_m68k.deb
> > Size/MD5 checksum: 132698 63860473eb387086c4474acc395ff96e
> >
> > Big endian MIPS architecture:
> >
> > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_mips.deb
> > Size/MD5 checksum: 144380 c1ffef369f073099d84704f24e2252f1
> >
> > Little endian MIPS architecture:
> >
> > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_mipsel.deb
> > Size/MD5 checksum: 144250 bdb34c5adaf5562908d6df4517bf0cd3
> >
> > PowerPC architecture:
> >
> > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_powerpc.deb
> > Size/MD5 checksum: 140566 ff92e82812ef08d35b51239099efaca3
> >
> > IBM S/390 architecture:
> >
> > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_s390.deb
> > Size/MD5 checksum: 140222 f327c3436a5a103b1d028dc2e045c226
> >
> > Sun Sparc architecture:
> >
> > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_sparc.deb
> > Size/MD5 checksum: 143004 6c4300c125317a6faf9e154803552485
> >
> >
> > These files will probably be moved into the stable distribution on
> > its next update.
> >
> > - ---------------------------------------------------------------------------------
> > For apt-get: deb http://security.debian.org/ stable/updates main
> > For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
> > Mailing list: debian-security-announce@lists.debian.org
> > Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.5 (GNU/Linux)
> >
> > iD8DBQFBpHn2W5ql+IAeqTIRAsbeAJ93UCDKx39/3F123rZPt4B+CpYN5wCcD01g
> > heOiCeKmYQUJoqWasNWbWB0=
> > =qta2
> > -----END PGP SIGNATURE-----
> >
> >
>
> --
> |> /+\ \| | |>
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
Reply to: