Re: "Fix" of sudo with DSA-946-1
Freek Dijkstra wrote:
> Martin Schulze wrote:
>
> > Proposed updates for woody and sarge are here:
> > http://klecker.debian.org/~joey/security/sudo/
> > I'd be glad if you could test them.r
>
> That's awesome. Thanks! Here, have some karma :-)
:)
> I just installed your version on sarge using:
> - Remove my (custom) "Defaults" line in my /etc/sudoers file
> - sudo dpkg -i sudo_1.6.8p7-1.4_i386.deb
>
> Most environment variables seem there as I would expect, and those I
> don't expect are indeed removed. The only issue I still have is that the
> manual page should still be updated. I noticed some changes in
> sudoers.pod (in sudo_1.6.8p7-1.4.diff.gz), but somehow that did not pass
> to the sudoers.5.gz man page in the sudo_1.6.8p7-1.4_i386.deb.
Umh... That's a packaging bug, I'll get it recreate the manpage
explicitly
> I just read through all bugreports, and carefully tried to reproduce
> each one to see if all is well now.
>
> Most importantly, the variables that are kept are indeed now the same as
> I would get when I specify "Defaults env_reset". Specifically:
> HOME variable kept (closes #349587)
> SHELL variable kept (closes #350776)
> DISPLAY variable kept (closes #349085)
> XAUTHORITY variable kept (closes #349549)
These are not passed through by env_reset with the original source,
but only with this patch.
> Two variables are not kept:
> EDITOR variable kept (bug #349196).
Not important.
> LC_ALL variable kept in earlier releases, including sudo_1.6.8p7-1.3
> (the previous security fix).
I've added the locale variables again.
> Update manual pages (#349129):
> NOT FIXED.
Done now.
> Given that some things still need manual tweaking (e.g. EDITOR or LC_*
> variables), it is good to update the page. I noticed that one of the
> file you created, sudo_1.6.8p7-1.4.diff.gz, has some manual changes to
> sudoers.pod, but these changes are not reflected in the sudoers.5.gz man
> page in the sudo_1.6.8p7-1.4_i386.deb. Additionally, if you have not
> done so, here is also a patch for the man pages:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=349196;msg=34
Too many unrelated changes, rejected, should potentially be applied to
the version in sid->etch.
> sudo -V output is misleading: it gives a very incomplete list of
> env vars that are removed. (also #349129)
> NOT FIXED.
Well... yes, it is misleading. That's due to the program structure.
> To be honest, I'm not sure if this should be fixed now. On one hand it
> would be good, but I fear that it may introduce too much new code (which
> seem a bad thing for a security patch). I would leave it open for etch,
> but not fix it in woody or sarge, but the security team can decide best.
It should be adjusted in sid instead.
> Complaint about 'sudo vi <anyfile>':
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=349196;msg=15
> Status: I can't reproduce it (or it is simply fixed now)
Problem was missing $HOME.
> Complaint about "sudo joe filename":
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=349196;msg=10
> Status: I can't reproduce it (or it is simply fixed now)
Problem was missing $HOME.
> Complaint that "Defaults env_reset, env_keep=*, always_set_home" gives
> two PATH variables instead of one (#354431).
> NOT FIXED.
> This is indeed an important bug, but I think it is not directly related
> to the security bug, and should thus just be fixed in etch.
Not security related.
> Finally, I suggest to add a /usr/share/doc/sudo/READM.Debian file with
> this contents:
Ok.
Thanks a lot. I've produced new packages and copied them to the same
location.
Regards,
Joey
--
Linux - the choice of a GNU generation.
Reply to: