[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: "Fix" of sudo with DSA-946-1

Freek Dijkstra wrote:
> Martin Schulze wrote:
> 
> > Proposed updates for woody and sarge are here:
> > http://klecker.debian.org/~joey/security/sudo/
> > I'd be glad if you could test them.r
> 
> That's awesome. Thanks! Here, have some karma :-)

:)

> I just installed your version on sarge using:
> - Remove my (custom) "Defaults" line in my /etc/sudoers file
> - sudo dpkg -i sudo_1.6.8p7-1.4_i386.deb
> 
> Most environment variables seem there as I would expect, and those I
> don't expect are indeed removed. The only issue I still have is that the
> manual page should still be updated. I noticed some changes in
> sudoers.pod (in sudo_1.6.8p7-1.4.diff.gz), but somehow that did not pass
> to the sudoers.5.gz man page in the sudo_1.6.8p7-1.4_i386.deb.

Umh...  That's a packaging bug, I'll get it recreate the manpage
explicitly

> I just read through all bugreports, and carefully tried to reproduce
> each one to see if all is well now.
> 
> Most importantly, the variables that are kept are indeed now the same as
> I would get when I specify "Defaults env_reset". Specifically:
> HOME variable kept (closes #349587)
> SHELL variable kept (closes #350776)

> DISPLAY	variable kept (closes #349085)
> XAUTHORITY variable kept (closes #349549)

These are not passed through by env_reset with the original source,
but only with this patch.

> Two variables are not kept:
> EDITOR variable kept (bug #349196).

Not important.

> LC_ALL variable kept in earlier releases, including sudo_1.6.8p7-1.3
> (the previous security fix).

I've added the locale variables again.

> Update manual pages (#349129):
> NOT FIXED.

Done now.

> Given that some things still need manual tweaking (e.g. EDITOR or LC_*
> variables), it is good to update the page. I noticed that one of the
> file you created, sudo_1.6.8p7-1.4.diff.gz, has some manual changes to
> sudoers.pod, but these changes are not reflected in the sudoers.5.gz man
> page in the sudo_1.6.8p7-1.4_i386.deb. Additionally, if you have not
> done so, here is also a patch for the man pages:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=349196;msg=34

Too many unrelated changes, rejected, should potentially be applied to
the version in sid->etch.

> sudo -V output is misleading: it gives a very incomplete list of
> env vars that are removed. (also #349129)
> NOT FIXED.

Well... yes, it is misleading.  That's due to the program structure.

> To be honest, I'm not sure if this should be fixed now. On one hand it
> would be good, but I fear that it may introduce too much new code (which
> seem a bad thing for a security patch). I would leave it open for etch,
> but not fix it in woody or sarge, but the security team can decide best.

It should be adjusted in sid instead.

> Complaint about 'sudo vi <anyfile>':
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=349196;msg=15
> Status: I can't reproduce it (or it is simply fixed now)

Problem was missing $HOME.

> Complaint about "sudo joe filename":
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=349196;msg=10
> Status: I can't reproduce it (or it is simply fixed now)

Problem was missing $HOME.

> Complaint that "Defaults env_reset, env_keep=*, always_set_home" gives
> two PATH variables instead of one (#354431).
> NOT FIXED.
> This is indeed an important bug, but I think it is not directly related
> to the security bug, and should thus just be fixed in etch.

Not security related.

> Finally, I suggest to add a /usr/share/doc/sudo/READM.Debian file with
> this contents:

Ok.

Thanks a lot.  I've produced new packages and copied them to the same
location.

Regards,

	Joey

-- 
Linux - the choice of a GNU generation.
Reply to: