Re: [SECURITY] [DSA 596-1] New sudo packages fix privilege escalation
Ok now I see it. The stable package.... the unstable package is fine.
Ramon Kagan
York University, Computing and Network Services
Information Security - Senior Information Security Analyst
(416)736-2100 #20263
rkagan@yorku.ca
----------------------------------- ------------------------------------
I have not failed. I have just I don't know the secret to success,
found 10,000 ways that don't work. but the secret to failure is
trying to please everybody.
- Thomas Edison - Bill Cosby
----------------------------------- ------------------------------------
On Wed, 24 Nov 2004, David wrote:
>
> This is what I get on all the 3.0 installations I've upgraded this
> package on (attached file).
>
> David
>
> On Wed, 24 Nov 2004, Ramon Kagan wrote:
>
> > Must be something in your environment, I don't get anything of the sort.
> >
> > Ramon Kagan
> > York University, Computing and Network Services
> > Information Security - Senior Information Security Analyst
> > (416)736-2100 #20263
> > rkagan@yorku.ca
> >
> > ----------------------------------- ------------------------------------
> > I have not failed. I have just I don't know the secret to success,
> > found 10,000 ways that don't work. but the secret to failure is
> > trying to please everybody.
> > - Thomas Edison - Bill Cosby
> > ----------------------------------- ------------------------------------
> >
> > On Wed, 24 Nov 2004, David wrote:
> >
> > > Hi Martin,
> > >
> > > This fix prints a bunch of debugging messages on sudo. Has it been tested!?
> > >
> > > David
> > >
> > > Martin Schulze wrote:
> > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > Hash: SHA1
> > > >
> > > > - --------------------------------------------------------------------------
> > > > Debian Security Advisory DSA 596-1 security@debian.org
> > > > http://www.debian.org/security/ Martin Schulze
> > > > November 24th, 2004 http://www.debian.org/security/faq
> > > > - --------------------------------------------------------------------------
> > > >
> > > > Package : sudo
> > > > Vulnerability : missing input sanitising
> > > > Problem-Type : local
> > > > Debian-specific: no
> > > > CVE ID : CAN-2004-1051
> > > > Debian Bug : 281665
> > > >
> > > > Liam Helmer noticed that sudo, a program that provides limited super
> > > > user privileges to specific users, does not clean the environment
> > > > sufficiently. Bash functions and the CDPATH variable are still passed
> > > > through to the program running as privileged user, leaving
> > > > possibilities to overload system routines. These vulnerabilities can
> > > > only be exploited by users who have been granted limited super user
> > > > privileges.
> > > >
> > > > For the stable distribution (woody) these problems have been fixed in
> > > > version 1.6.6-1.2.
> > > >
> > > > For the unstable distribution (sid) these problems have been fixed in
> > > > version 1.6.8p3.
> > > >
> > > > We recommend that you upgrade your sudo package.
> > > >
> > > >
> > > > Upgrade Instructions
> > > > - --------------------
> > > >
> > > > wget url
> > > > will fetch the file for you
> > > > dpkg -i file.deb
> > > > will install the referenced file.
> > > >
> > > > If you are using the apt-get package manager, use the line for
> > > > sources.list as given below:
> > > >
> > > > apt-get update
> > > > will update the internal database
> > > > apt-get upgrade
> > > > will install corrected packages
> > > >
> > > > You may use an automated update by adding the resources from the
> > > > footer to the proper configuration.
> > > >
> > > >
> > > > Debian GNU/Linux 3.0 alias woody
> > > > - --------------------------------
> > > >
> > > > Source archives:
> > > >
> > > > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2.dsc
> > > > Size/MD5 checksum: 587 b4750887bf910de5d8bc4d4ef3f71b3b
> > > > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2.diff.gz
> > > > Size/MD5 checksum: 12251 e138445e17adf6eec25035bb8c1ef0c9
> > > > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6.orig.tar.gz
> > > > Size/MD5 checksum: 333074 4da4bf6cf31634cc7a17ec3b69fdc333
> > > >
> > > > Alpha architecture:
> > > >
> > > > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_alpha.deb
> > > > Size/MD5 checksum: 151386 841c5cfa5405fbef08d95fb7fcd50364
> > > >
> > > > ARM architecture:
> > > >
> > > > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_arm.deb
> > > > Size/MD5 checksum: 141442 46d1faa34df223b014c3131879ccadff
> > > >
> > > > Intel IA-32 architecture:
> > > >
> > > > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_i386.deb
> > > > Size/MD5 checksum: 135076 687519f374ef803d532e1a2c966322a6
> > > >
> > > > Intel IA-64 architecture:
> > > >
> > > > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_ia64.deb
> > > > Size/MD5 checksum: 172442 8e0f391e39197f7911069210dae06da7
> > > >
> > > > HP Precision architecture:
> > > >
> > > > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_hppa.deb
> > > > Size/MD5 checksum: 147512 b32938d0bf2d681b4556c64d7071187a
> > > >
> > > > Motorola 680x0 architecture:
> > > >
> > > > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_m68k.deb
> > > > Size/MD5 checksum: 132698 63860473eb387086c4474acc395ff96e
> > > >
> > > > Big endian MIPS architecture:
> > > >
> > > > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_mips.deb
> > > > Size/MD5 checksum: 144380 c1ffef369f073099d84704f24e2252f1
> > > >
> > > > Little endian MIPS architecture:
> > > >
> > > > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_mipsel.deb
> > > > Size/MD5 checksum: 144250 bdb34c5adaf5562908d6df4517bf0cd3
> > > >
> > > > PowerPC architecture:
> > > >
> > > > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_powerpc.deb
> > > > Size/MD5 checksum: 140566 ff92e82812ef08d35b51239099efaca3
> > > >
> > > > IBM S/390 architecture:
> > > >
> > > > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_s390.deb
> > > > Size/MD5 checksum: 140222 f327c3436a5a103b1d028dc2e045c226
> > > >
> > > > Sun Sparc architecture:
> > > >
> > > > http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_sparc.deb
> > > > Size/MD5 checksum: 143004 6c4300c125317a6faf9e154803552485
> > > >
> > > >
> > > > These files will probably be moved into the stable distribution on
> > > > its next update.
> > > >
> > > > - ---------------------------------------------------------------------------------
> > > > For apt-get: deb http://security.debian.org/ stable/updates main
> > > > For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
> > > > Mailing list: debian-security-announce@lists.debian.org
> > > > Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
> > > >
> > > > -----BEGIN PGP SIGNATURE-----
> > > > Version: GnuPG v1.2.5 (GNU/Linux)
> > > >
> > > > iD8DBQFBpHn2W5ql+IAeqTIRAsbeAJ93UCDKx39/3F123rZPt4B+CpYN5wCcD01g
> > > > heOiCeKmYQUJoqWasNWbWB0=
> > > > =qta2
> > > > -----END PGP SIGNATURE-----
> > > >
> > > >
> > >
> > > --
> > > |> /+\ \| | |>
> > >
> > >
> > > --
> > > To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> > > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> > >
> > >
> >
>
> --
> |> /+\ \| | |>
>
> David Croft
> Infotrek
Reply to: