[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20100226214405.GA1693@severus.strandboge.com>
Date: Fri, 26 Feb 2010 15:44:06 -0600
From: Jamie Strandboge <jamie@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [USN-905-1] sudo vulnerabilities
===========================================================
Ubuntu Security Notice USN-905-1 February 26, 2010
sudo vulnerabilities
CVE-2010-0426, CVE-2010-0427
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
sudo 1.6.8p12-1ubuntu6.1
sudo-ldap 1.6.8p12-1ubuntu6.1
Ubuntu 8.04 LTS:
sudo 1.6.9p10-1ubuntu3.6
sudo-ldap 1.6.9p10-1ubuntu3.6
Ubuntu 8.10:
sudo 1.6.9p17-1ubuntu2.2
sudo-ldap 1.6.9p17-1ubuntu2.2
Ubuntu 9.04:
sudo 1.6.9p17-1ubuntu3.1
sudo-ldap 1.6.9p17-1ubuntu3.1
Ubuntu 9.10:
sudo 1.7.0-1ubuntu2.1
sudo-ldap 1.7.0-1ubuntu2.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
It was discovered that sudo did not properly validate the path for the
'sudoedit' pseudo-command. A local attacker could exploit this to execute
arbitrary code as root if sudo was configured to allow the attacker to use
sudoedit. The sudoedit pseudo-command is not used in the default
installation of Ubuntu. (CVE-2010-0426)
It was discovered that sudo did not reset group permissions when the
'runas_default' configuration option was used. A local attacker could
exploit this to escalate group privileges if sudo was configured to allow
the attacker to run commands under the runas_default account. The
runas_default configuration option is not used in the default installation
of Ubuntu. This issue affected Ubuntu 8.04 LTS, 8.10 and 9.04.
(CVE-2010-0427)
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.1.diff.gz
Size/MD5: 36465 14d0df16c74cd33e67550cc3011e79bb
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.1.dsc
Size/MD5: 618 d3ff741b9d7e1d3e01abd562318018c2
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12.orig.tar.gz
Size/MD5: 585643 b29893c06192df6230dd5f340f3badf5
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.1_amd64.deb
Size/MD5: 177298 33ba18356cb72b861d6ecda89529b0fb
http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.8p12-1ubuntu6.1_amd64.deb
Size/MD5: 189148 aeefad19f406872cac0eded167f4e065
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.1_i386.deb
Size/MD5: 162882 b873dc9cb110544216feef747d32e5a2
http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.8p12-1ubuntu6.1_i386.deb
Size/MD5: 174316 293c645a4a4d57ccb27e473b5ea9c508
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.1_powerpc.deb
Size/MD5: 171444 ad26abb760441edbf15f7e098b1e1532
http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.8p12-1ubuntu6.1_powerpc.deb
Size/MD5: 183624 8d045143fc6daf29a153184055bfea53
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.1_sparc.deb
Size/MD5: 167550 c27e7f387cb19b5bf3d932957181b5a6
http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.8p12-1ubuntu6.1_sparc.deb
Size/MD5: 180092 fc286f32e79a3010f81f20413168aa04
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.6.diff.gz
Size/MD5: 29374 e6db1630f2b05c8e9839f4fe4aca266a
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.6.dsc
Size/MD5: 702 20547db3a024d46b8217acf1e83b83ef
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p10.orig.tar.gz
Size/MD5: 579302 16db2a1213159a1fac8239eab58108f5
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.6_amd64.deb
Size/MD5: 188358 23215819c29dc7de3a4af5ca1a57032c
http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p10-1ubuntu3.6_amd64.deb
Size/MD5: 200026 7c6057e1ed38e8cda9a4d205faf1ac13
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.6_i386.deb
Size/MD5: 176538 1e833016ee022766c2ca1a7e29b596ed
http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p10-1ubuntu3.6_i386.deb
Size/MD5: 187408 0e0472b16b1add85df28b0675589956d
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.6_lpia.deb
Size/MD5: 177632 8b2edc241c35137afd81c396a0043431
http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p10-1ubuntu3.6_lpia.deb
Size/MD5: 188378 ad2a9d36a94c36e1bcecc1bca64b2d95
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.6_powerpc.deb
Size/MD5: 188556 9f0e4fb02064fc1b40829de2c1e92805
http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p10-1ubuntu3.6_powerpc.deb
Size/MD5: 202394 ef74f61e9c34ee11ef51d38377a0be55
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.6_sparc.deb
Size/MD5: 182512 24f0ed4658aae0c538ca564e4c5950c3
http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p10-1ubuntu3.6_sparc.deb
Size/MD5: 193640 a2b3b6604ff6c4546e5a8d061fdb7cab
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.2.diff.gz
Size/MD5: 26459 e127fb89620f45f5d9184bd87b45464a
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.2.dsc
Size/MD5: 1098 2959f2bc61d7ccecfb8fc554b446d463
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17.orig.tar.gz
Size/MD5: 593534 60daf18f28e2c1eb7641c4408e244110
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.2_amd64.deb
Size/MD5: 191296 c1d1c53708d512a746da226117d130d0
http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu2.2_amd64.deb
Size/MD5: 202256 f4d5961be5ef3eee80906f2c6d39a4b8
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.2_i386.deb
Size/MD5: 179370 d21813fed543bfed0e0704a1ce0341ef
http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu2.2_i386.deb
Size/MD5: 188842 55a32e9081772f8611e1006d3ddcfb50
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.2_lpia.deb
Size/MD5: 180432 ab0bcf69bfba1bc48e9a6a3ba3030c5f
http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu2.2_lpia.deb
Size/MD5: 189652 8dc329d7a87d2d5bf2eb70071361b792
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.2_powerpc.deb
Size/MD5: 188732 81d7e525bdfb3421d46e5c7623963e63
http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu2.2_powerpc.deb
Size/MD5: 201208 69d7905dce680b3d9f30f6476e486ae6
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.2_sparc.deb
Size/MD5: 184208 1d87f6e84ad37cceb1ab1b16083336ad
http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu2.2_sparc.deb
Size/MD5: 193944 b6c81515751ff1b11d6b7b8bf9893206
Updated packages for Ubuntu 9.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.1.diff.gz
Size/MD5: 26464 d01e9f40ceb7ee72cd544dccc0ff61ec
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.1.dsc
Size/MD5: 1098 7d36e3ce35d2745b8ad1ee6f3341713d
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17.orig.tar.gz
Size/MD5: 593534 60daf18f28e2c1eb7641c4408e244110
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.1_amd64.deb
Size/MD5: 191292 db0dd72e435fc48ac109d67b9d896573
http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu3.1_amd64.deb
Size/MD5: 202254 5ba756fd3ddf796ea948f0f3da4cdd80
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.1_i386.deb
Size/MD5: 179392 d8984ef79dfd27e314343b3e8f42bb41
http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu3.1_i386.deb
Size/MD5: 188846 ce40b21ebc2e2a95be415c768661a785
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.1_lpia.deb
Size/MD5: 180456 6fded1767a6b44cf99f25a82476a52da
http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu3.1_lpia.deb
Size/MD5: 189674 e271b1fa6d7f17917163dbb37863eb2e
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.1_powerpc.deb
Size/MD5: 188744 039f52f42d3eeded8ce75e96e276e53d
http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu3.1_powerpc.deb
Size/MD5: 201216 2a649addcffab0eaa94f36a45c3848cd
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.1_sparc.deb
Size/MD5: 184136 ca187dd7a7b3eca1b6788bb8b7615f7e
http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu3.1_sparc.deb
Size/MD5: 193798 ebf79bbc5f19b50d8ffa60bad381966b
Updated packages for Ubuntu 9.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.1.diff.gz
Size/MD5: 23742 31fa50ea42efb75a6995ce43e05f8d3a
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.1.dsc
Size/MD5: 1117 ac9f701eef71f472756479f9c07d5ff3
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0.orig.tar.gz
Size/MD5: 744311 5fd96bba35fe29b464f7aa6ad255f0a6
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.1_amd64.deb
Size/MD5: 310278 7f1b840d6412b168c70d2f136cb0a3a5
http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.1_amd64.deb
Size/MD5: 333962 a01561815cf0e835cb889663eaf81d06
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.1_i386.deb
Size/MD5: 297694 d514dde2dfc8ec32c92de9d71d8f5832
http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.1_i386.deb
Size/MD5: 319300 e3a4e6d67ed8644c9bed06337cadc156
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.1_lpia.deb
Size/MD5: 297858 82f884376f3ab60cd35466d70446514d
http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.1_lpia.deb
Size/MD5: 319686 f9ec4970846681134c868621c8d5989e
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.1_powerpc.deb
Size/MD5: 305874 88b6f4ad953f85c7b32898b7b3823163
http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.1_powerpc.deb
Size/MD5: 328914 b973b5fa801148e11d3747ab89b84a3f
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.1_sparc.deb
Size/MD5: 301460 e5cf051efacfdca66a3aa186d01f5a80
http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.1_sparc.deb
Size/MD5: 323606 b82e9af9f7f18ebf31aee38835aaf901
Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)
Powered by blists - more mailing lists