lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20100226214405.GA1693@severus.strandboge.com>
Date: Fri, 26 Feb 2010 15:44:06 -0600
From: Jamie Strandboge <jamie@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [USN-905-1] sudo vulnerabilities

===========================================================
Ubuntu Security Notice USN-905-1          February 26, 2010
sudo vulnerabilities
CVE-2010-0426, CVE-2010-0427
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  sudo                            1.6.8p12-1ubuntu6.1
  sudo-ldap                       1.6.8p12-1ubuntu6.1

Ubuntu 8.04 LTS:
  sudo                            1.6.9p10-1ubuntu3.6
  sudo-ldap                       1.6.9p10-1ubuntu3.6

Ubuntu 8.10:
  sudo                            1.6.9p17-1ubuntu2.2
  sudo-ldap                       1.6.9p17-1ubuntu2.2

Ubuntu 9.04:
  sudo                            1.6.9p17-1ubuntu3.1
  sudo-ldap                       1.6.9p17-1ubuntu3.1

Ubuntu 9.10:
  sudo                            1.7.0-1ubuntu2.1
  sudo-ldap                       1.7.0-1ubuntu2.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that sudo did not properly validate the path for the
'sudoedit' pseudo-command. A local attacker could exploit this to execute
arbitrary code as root if sudo was configured to allow the attacker to use
sudoedit. The sudoedit pseudo-command is not used in the default
installation of Ubuntu. (CVE-2010-0426)

It was discovered that sudo did not reset group permissions when the
'runas_default' configuration option was used. A local attacker could
exploit this to escalate group privileges if sudo was configured to allow
the attacker to run commands under the runas_default account. The
runas_default configuration option is not used in the default installation
of Ubuntu. This issue affected Ubuntu 8.04 LTS, 8.10 and 9.04.
(CVE-2010-0427)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.1.diff.gz
      Size/MD5:    36465 14d0df16c74cd33e67550cc3011e79bb
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.1.dsc
      Size/MD5:      618 d3ff741b9d7e1d3e01abd562318018c2
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12.orig.tar.gz
      Size/MD5:   585643 b29893c06192df6230dd5f340f3badf5

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.1_amd64.deb
      Size/MD5:   177298 33ba18356cb72b861d6ecda89529b0fb
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.8p12-1ubuntu6.1_amd64.deb
      Size/MD5:   189148 aeefad19f406872cac0eded167f4e065

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.1_i386.deb
      Size/MD5:   162882 b873dc9cb110544216feef747d32e5a2
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.8p12-1ubuntu6.1_i386.deb
      Size/MD5:   174316 293c645a4a4d57ccb27e473b5ea9c508

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.1_powerpc.deb
      Size/MD5:   171444 ad26abb760441edbf15f7e098b1e1532
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.8p12-1ubuntu6.1_powerpc.deb
      Size/MD5:   183624 8d045143fc6daf29a153184055bfea53

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.1_sparc.deb
      Size/MD5:   167550 c27e7f387cb19b5bf3d932957181b5a6
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.8p12-1ubuntu6.1_sparc.deb
      Size/MD5:   180092 fc286f32e79a3010f81f20413168aa04

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.6.diff.gz
      Size/MD5:    29374 e6db1630f2b05c8e9839f4fe4aca266a
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.6.dsc
      Size/MD5:      702 20547db3a024d46b8217acf1e83b83ef
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p10.orig.tar.gz
      Size/MD5:   579302 16db2a1213159a1fac8239eab58108f5

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.6_amd64.deb
      Size/MD5:   188358 23215819c29dc7de3a4af5ca1a57032c
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p10-1ubuntu3.6_amd64.deb
      Size/MD5:   200026 7c6057e1ed38e8cda9a4d205faf1ac13

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.6_i386.deb
      Size/MD5:   176538 1e833016ee022766c2ca1a7e29b596ed
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p10-1ubuntu3.6_i386.deb
      Size/MD5:   187408 0e0472b16b1add85df28b0675589956d

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.6_lpia.deb
      Size/MD5:   177632 8b2edc241c35137afd81c396a0043431
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p10-1ubuntu3.6_lpia.deb
      Size/MD5:   188378 ad2a9d36a94c36e1bcecc1bca64b2d95

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.6_powerpc.deb
      Size/MD5:   188556 9f0e4fb02064fc1b40829de2c1e92805
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p10-1ubuntu3.6_powerpc.deb
      Size/MD5:   202394 ef74f61e9c34ee11ef51d38377a0be55

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.6_sparc.deb
      Size/MD5:   182512 24f0ed4658aae0c538ca564e4c5950c3
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p10-1ubuntu3.6_sparc.deb
      Size/MD5:   193640 a2b3b6604ff6c4546e5a8d061fdb7cab

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.2.diff.gz
      Size/MD5:    26459 e127fb89620f45f5d9184bd87b45464a
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.2.dsc
      Size/MD5:     1098 2959f2bc61d7ccecfb8fc554b446d463
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17.orig.tar.gz
      Size/MD5:   593534 60daf18f28e2c1eb7641c4408e244110

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.2_amd64.deb
      Size/MD5:   191296 c1d1c53708d512a746da226117d130d0
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu2.2_amd64.deb
      Size/MD5:   202256 f4d5961be5ef3eee80906f2c6d39a4b8

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.2_i386.deb
      Size/MD5:   179370 d21813fed543bfed0e0704a1ce0341ef
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu2.2_i386.deb
      Size/MD5:   188842 55a32e9081772f8611e1006d3ddcfb50

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.2_lpia.deb
      Size/MD5:   180432 ab0bcf69bfba1bc48e9a6a3ba3030c5f
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu2.2_lpia.deb
      Size/MD5:   189652 8dc329d7a87d2d5bf2eb70071361b792

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.2_powerpc.deb
      Size/MD5:   188732 81d7e525bdfb3421d46e5c7623963e63
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu2.2_powerpc.deb
      Size/MD5:   201208 69d7905dce680b3d9f30f6476e486ae6

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.2_sparc.deb
      Size/MD5:   184208 1d87f6e84ad37cceb1ab1b16083336ad
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu2.2_sparc.deb
      Size/MD5:   193944 b6c81515751ff1b11d6b7b8bf9893206

Updated packages for Ubuntu 9.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.1.diff.gz
      Size/MD5:    26464 d01e9f40ceb7ee72cd544dccc0ff61ec
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.1.dsc
      Size/MD5:     1098 7d36e3ce35d2745b8ad1ee6f3341713d
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17.orig.tar.gz
      Size/MD5:   593534 60daf18f28e2c1eb7641c4408e244110

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.1_amd64.deb
      Size/MD5:   191292 db0dd72e435fc48ac109d67b9d896573
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu3.1_amd64.deb
      Size/MD5:   202254 5ba756fd3ddf796ea948f0f3da4cdd80

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.1_i386.deb
      Size/MD5:   179392 d8984ef79dfd27e314343b3e8f42bb41
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu3.1_i386.deb
      Size/MD5:   188846 ce40b21ebc2e2a95be415c768661a785

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.1_lpia.deb
      Size/MD5:   180456 6fded1767a6b44cf99f25a82476a52da
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu3.1_lpia.deb
      Size/MD5:   189674 e271b1fa6d7f17917163dbb37863eb2e

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.1_powerpc.deb
      Size/MD5:   188744 039f52f42d3eeded8ce75e96e276e53d
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu3.1_powerpc.deb
      Size/MD5:   201216 2a649addcffab0eaa94f36a45c3848cd

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.1_sparc.deb
      Size/MD5:   184136 ca187dd7a7b3eca1b6788bb8b7615f7e
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu3.1_sparc.deb
      Size/MD5:   193798 ebf79bbc5f19b50d8ffa60bad381966b

Updated packages for Ubuntu 9.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.1.diff.gz
      Size/MD5:    23742 31fa50ea42efb75a6995ce43e05f8d3a
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.1.dsc
      Size/MD5:     1117 ac9f701eef71f472756479f9c07d5ff3
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0.orig.tar.gz
      Size/MD5:   744311 5fd96bba35fe29b464f7aa6ad255f0a6

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.1_amd64.deb
      Size/MD5:   310278 7f1b840d6412b168c70d2f136cb0a3a5
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.1_amd64.deb
      Size/MD5:   333962 a01561815cf0e835cb889663eaf81d06

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.1_i386.deb
      Size/MD5:   297694 d514dde2dfc8ec32c92de9d71d8f5832
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.1_i386.deb
      Size/MD5:   319300 e3a4e6d67ed8644c9bed06337cadc156

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.1_lpia.deb
      Size/MD5:   297858 82f884376f3ab60cd35466d70446514d
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.1_lpia.deb
      Size/MD5:   319686 f9ec4970846681134c868621c8d5989e

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.1_powerpc.deb
      Size/MD5:   305874 88b6f4ad953f85c7b32898b7b3823163
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.1_powerpc.deb
      Size/MD5:   328914 b973b5fa801148e11d3747ab89b84a3f

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.1_sparc.deb
      Size/MD5:   301460 e5cf051efacfdca66a3aa186d01f5a80
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.1_sparc.deb
      Size/MD5:   323606 b82e9af9f7f18ebf31aee38835aaf901




Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ