lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20100415163358.GA6821@severus.strandboge.com>
Date: Thu, 15 Apr 2010 11:33:58 -0500
From: Jamie Strandboge <jamie@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-928-1] Sudo vulnerability

===========================================================
Ubuntu Security Notice USN-928-1             April 15, 2010
sudo vulnerability
https://launchpad.net/bugs/563963
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  sudo                            1.6.8p12-1ubuntu6.2
  sudo-ldap                       1.6.8p12-1ubuntu6.2

Ubuntu 8.04 LTS:
  sudo                            1.6.9p10-1ubuntu3.7
  sudo-ldap                       1.6.9p10-1ubuntu3.7

Ubuntu 8.10:
  sudo                            1.6.9p17-1ubuntu2.3
  sudo-ldap                       1.6.9p17-1ubuntu2.3

Ubuntu 9.04:
  sudo                            1.6.9p17-1ubuntu3.2
  sudo-ldap                       1.6.9p17-1ubuntu3.2

Ubuntu 9.10:
  sudo                            1.7.0-1ubuntu2.2
  sudo-ldap                       1.7.0-1ubuntu2.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Valerio Costamagna discovered that sudo did not properly validate the path
for the 'sudoedit' pseudo-command when the PATH contained only a dot ('.').
If secure_path and ignore_dot were disabled, a local attacker could exploit
this to execute arbitrary code as root if sudo was configured to allow the
attacker to use sudoedit. By default, secure_path is used and the sudoedit
pseudo-command is not used in Ubuntu. This is a different but related issue
to CVE-2010-0426.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.2.diff.gz
      Size/MD5:    36735 c7e6e0987a98c0039c7367e55be06b77
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.2.dsc
      Size/MD5:      618 cee46b55595f3a4417831ca93a413a57
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12.orig.tar.gz
      Size/MD5:   585643 b29893c06192df6230dd5f340f3badf5

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.2_amd64.deb
      Size/MD5:   177410 81101533cbcef2f0e124a629309ba736
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.8p12-1ubuntu6.2_amd64.deb
      Size/MD5:   189300 929042e125a96fb9f9d07121a2ab0d87

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.2_i386.deb
      Size/MD5:   162998 7394076ea85b56f928622b7241ff5da4
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.8p12-1ubuntu6.2_i386.deb
      Size/MD5:   174410 31f17e264d588a418772b2553b588983

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.2_powerpc.deb
      Size/MD5:   171604 7655e64f2b75c14638a64b4b343e9fe6
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.8p12-1ubuntu6.2_powerpc.deb
      Size/MD5:   183772 3d1cb111899646f7eb0d392ff33c4d22

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.2_sparc.deb
      Size/MD5:   167692 4be5d3e92d8ea5334b6e84835683a2c1
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.8p12-1ubuntu6.2_sparc.deb
      Size/MD5:   180246 3fa1cb8b677210e2c74090b9b35c8206

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.7.diff.gz
      Size/MD5:    29618 7567e0be6446f17b254221b739c07996
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.7.dsc
      Size/MD5:      702 07693cd03ca8e11d8af469148bfa18c2
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p10.orig.tar.gz
      Size/MD5:   579302 16db2a1213159a1fac8239eab58108f5

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.7_amd64.deb
      Size/MD5:   188426 8bebb97bd861d824b370f528d74638b0
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p10-1ubuntu3.7_amd64.deb
      Size/MD5:   200104 bda49af159988c625cc8540389a542e6

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.7_i386.deb
      Size/MD5:   176658 2ef5c88a84bfefc024de8c98522c547e
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p10-1ubuntu3.7_i386.deb
      Size/MD5:   187508 f9809828e32255a635051f2bf2fd52e3

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.7_lpia.deb
      Size/MD5:   177722 5ade363457ea20b36843aec86c43e6ec
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p10-1ubuntu3.7_lpia.deb
      Size/MD5:   188506 07007824b823228ab9e3cb71d9c3d1b8

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.7_powerpc.deb
      Size/MD5:   188648 745940413991a88100764e10329fc200
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p10-1ubuntu3.7_powerpc.deb
      Size/MD5:   202516 64131bfedf6b879abae928de17709847

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.7_sparc.deb
      Size/MD5:   182610 2b4d2e4d66ae5a98d81b20ec068e06ca
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p10-1ubuntu3.7_sparc.deb
      Size/MD5:   193706 aa4d90f564809d2c52c409ee08f7ec7d

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.3.diff.gz
      Size/MD5:    26703 53450aae72fd4ff5ef1b67bdb7aa0810
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.3.dsc
      Size/MD5:     1098 92f13b0ab92f0288622c34089570390c
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17.orig.tar.gz
      Size/MD5:   593534 60daf18f28e2c1eb7641c4408e244110

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.3_amd64.deb
      Size/MD5:   191376 01e4d7cca5da5d736e375a5d653be2f6
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu2.3_amd64.deb
      Size/MD5:   202366 c5ed35feb2c9d7c1ea115610e8500662

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.3_i386.deb
      Size/MD5:   179492 70490bcbb5a3e7950e31c2493754a94f
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu2.3_i386.deb
      Size/MD5:   188950 de9624a340c588706b912d091a29395a

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.3_lpia.deb
      Size/MD5:   180568 aa481c3c998a882ec39ff624a17c470b
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu2.3_lpia.deb
      Size/MD5:   189796 3110116a57d79f31075c1747b5fdc998

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.3_powerpc.deb
      Size/MD5:   188868 ed1514de1313f0fd81b6c252cacc65dc
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu2.3_powerpc.deb
      Size/MD5:   201376 efd41e0313475db360a1f48d6359c632

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.3_sparc.deb
      Size/MD5:   184318 fd96f1f61d6b3d0c26bed40784beaeda
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu2.3_sparc.deb
      Size/MD5:   194048 5ee93d6e457b541fb4ac89e0bd059820

Updated packages for Ubuntu 9.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.2.diff.gz
      Size/MD5:    26708 75f28b3212a9d34a3c1ea84e8dc421de
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.2.dsc
      Size/MD5:     1098 82922ad2f30bdc41b29192335f28f084
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17.orig.tar.gz
      Size/MD5:   593534 60daf18f28e2c1eb7641c4408e244110

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.2_amd64.deb
      Size/MD5:   191362 e2c3970a3358d127cb5482749e48cc13
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu3.2_amd64.deb
      Size/MD5:   202358 44f639898ae4f40527f8627468c1988a

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.2_i386.deb
      Size/MD5:   179514 47fbc07f6827ecc074e3dc6e59328fa7
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu3.2_i386.deb
      Size/MD5:   188976 1058bce621e5f89a951cae5e0f59fce8

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.2_lpia.deb
      Size/MD5:   180604 ba821107abd87a9fb846db64ad81dc86
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu3.2_lpia.deb
      Size/MD5:   189826 9bd642aa06abe3a56cb38ae624f18c95

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.2_powerpc.deb
      Size/MD5:   188868 294ef55b0a3f5b3880d54e3130bac961
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu3.2_powerpc.deb
      Size/MD5:   201382 4acdc25ff7a93ced1a514697bcf2546b

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.2_sparc.deb
      Size/MD5:   184224 107e2c84d28f90073a71d7d45e6dabe2
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu3.2_sparc.deb
      Size/MD5:   193928 d283f60b4cf782e724309528a5c37c1f

Updated packages for Ubuntu 9.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.2.diff.gz
      Size/MD5:    23991 d7ed14666b7725c1c90ee5373e6b493b
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.2.dsc
      Size/MD5:     1117 90f89205701115986ad94c234fec88de
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0.orig.tar.gz
      Size/MD5:   744311 5fd96bba35fe29b464f7aa6ad255f0a6

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.2_amd64.deb
      Size/MD5:   310330 f7ed720332dc09e94f3caeb5cfd61a23
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.2_amd64.deb
      Size/MD5:   334118 6b5c29f330189dc0c96e90a8c724114e

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.2_i386.deb
      Size/MD5:   297788 275954f47eee1e3070a6ed4a8f88a44a
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.2_i386.deb
      Size/MD5:   319396 5b0df976b974fb357dcc96b9eba19a84

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.2_lpia.deb
      Size/MD5:   298004 a6fc0c417840fe291f4850c2902c5157
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.2_lpia.deb
      Size/MD5:   319820 12199da9bf6a388eaf395a009f7b1025

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.2_powerpc.deb
      Size/MD5:   306012 72df477368ee2b5b88d10bf3f4a04130
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.2_powerpc.deb
      Size/MD5:   328996 e9a0fb7fcdfea28faa433472f77b50d1

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.2_sparc.deb
      Size/MD5:   301610 ed2dc9787c8c3c523fc384668e8ee498
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.2_sparc.deb
      Size/MD5:   323674 16f40c45f8ad7679606c5559aba18b70




Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ