[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20100415163358.GA6821@severus.strandboge.com>
Date: Thu, 15 Apr 2010 11:33:58 -0500
From: Jamie Strandboge <jamie@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-928-1] Sudo vulnerability
===========================================================
Ubuntu Security Notice USN-928-1 April 15, 2010
sudo vulnerability
https://launchpad.net/bugs/563963
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
sudo 1.6.8p12-1ubuntu6.2
sudo-ldap 1.6.8p12-1ubuntu6.2
Ubuntu 8.04 LTS:
sudo 1.6.9p10-1ubuntu3.7
sudo-ldap 1.6.9p10-1ubuntu3.7
Ubuntu 8.10:
sudo 1.6.9p17-1ubuntu2.3
sudo-ldap 1.6.9p17-1ubuntu2.3
Ubuntu 9.04:
sudo 1.6.9p17-1ubuntu3.2
sudo-ldap 1.6.9p17-1ubuntu3.2
Ubuntu 9.10:
sudo 1.7.0-1ubuntu2.2
sudo-ldap 1.7.0-1ubuntu2.2
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Valerio Costamagna discovered that sudo did not properly validate the path
for the 'sudoedit' pseudo-command when the PATH contained only a dot ('.').
If secure_path and ignore_dot were disabled, a local attacker could exploit
this to execute arbitrary code as root if sudo was configured to allow the
attacker to use sudoedit. By default, secure_path is used and the sudoedit
pseudo-command is not used in Ubuntu. This is a different but related issue
to CVE-2010-0426.
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.2.diff.gz
Size/MD5: 36735 c7e6e0987a98c0039c7367e55be06b77
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.2.dsc
Size/MD5: 618 cee46b55595f3a4417831ca93a413a57
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12.orig.tar.gz
Size/MD5: 585643 b29893c06192df6230dd5f340f3badf5
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.2_amd64.deb
Size/MD5: 177410 81101533cbcef2f0e124a629309ba736
http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.8p12-1ubuntu6.2_amd64.deb
Size/MD5: 189300 929042e125a96fb9f9d07121a2ab0d87
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.2_i386.deb
Size/MD5: 162998 7394076ea85b56f928622b7241ff5da4
http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.8p12-1ubuntu6.2_i386.deb
Size/MD5: 174410 31f17e264d588a418772b2553b588983
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.2_powerpc.deb
Size/MD5: 171604 7655e64f2b75c14638a64b4b343e9fe6
http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.8p12-1ubuntu6.2_powerpc.deb
Size/MD5: 183772 3d1cb111899646f7eb0d392ff33c4d22
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.2_sparc.deb
Size/MD5: 167692 4be5d3e92d8ea5334b6e84835683a2c1
http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.8p12-1ubuntu6.2_sparc.deb
Size/MD5: 180246 3fa1cb8b677210e2c74090b9b35c8206
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.7.diff.gz
Size/MD5: 29618 7567e0be6446f17b254221b739c07996
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.7.dsc
Size/MD5: 702 07693cd03ca8e11d8af469148bfa18c2
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p10.orig.tar.gz
Size/MD5: 579302 16db2a1213159a1fac8239eab58108f5
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.7_amd64.deb
Size/MD5: 188426 8bebb97bd861d824b370f528d74638b0
http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p10-1ubuntu3.7_amd64.deb
Size/MD5: 200104 bda49af159988c625cc8540389a542e6
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.7_i386.deb
Size/MD5: 176658 2ef5c88a84bfefc024de8c98522c547e
http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p10-1ubuntu3.7_i386.deb
Size/MD5: 187508 f9809828e32255a635051f2bf2fd52e3
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.7_lpia.deb
Size/MD5: 177722 5ade363457ea20b36843aec86c43e6ec
http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p10-1ubuntu3.7_lpia.deb
Size/MD5: 188506 07007824b823228ab9e3cb71d9c3d1b8
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.7_powerpc.deb
Size/MD5: 188648 745940413991a88100764e10329fc200
http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p10-1ubuntu3.7_powerpc.deb
Size/MD5: 202516 64131bfedf6b879abae928de17709847
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.7_sparc.deb
Size/MD5: 182610 2b4d2e4d66ae5a98d81b20ec068e06ca
http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p10-1ubuntu3.7_sparc.deb
Size/MD5: 193706 aa4d90f564809d2c52c409ee08f7ec7d
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.3.diff.gz
Size/MD5: 26703 53450aae72fd4ff5ef1b67bdb7aa0810
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.3.dsc
Size/MD5: 1098 92f13b0ab92f0288622c34089570390c
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17.orig.tar.gz
Size/MD5: 593534 60daf18f28e2c1eb7641c4408e244110
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.3_amd64.deb
Size/MD5: 191376 01e4d7cca5da5d736e375a5d653be2f6
http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu2.3_amd64.deb
Size/MD5: 202366 c5ed35feb2c9d7c1ea115610e8500662
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.3_i386.deb
Size/MD5: 179492 70490bcbb5a3e7950e31c2493754a94f
http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu2.3_i386.deb
Size/MD5: 188950 de9624a340c588706b912d091a29395a
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.3_lpia.deb
Size/MD5: 180568 aa481c3c998a882ec39ff624a17c470b
http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu2.3_lpia.deb
Size/MD5: 189796 3110116a57d79f31075c1747b5fdc998
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.3_powerpc.deb
Size/MD5: 188868 ed1514de1313f0fd81b6c252cacc65dc
http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu2.3_powerpc.deb
Size/MD5: 201376 efd41e0313475db360a1f48d6359c632
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.3_sparc.deb
Size/MD5: 184318 fd96f1f61d6b3d0c26bed40784beaeda
http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu2.3_sparc.deb
Size/MD5: 194048 5ee93d6e457b541fb4ac89e0bd059820
Updated packages for Ubuntu 9.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.2.diff.gz
Size/MD5: 26708 75f28b3212a9d34a3c1ea84e8dc421de
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.2.dsc
Size/MD5: 1098 82922ad2f30bdc41b29192335f28f084
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17.orig.tar.gz
Size/MD5: 593534 60daf18f28e2c1eb7641c4408e244110
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.2_amd64.deb
Size/MD5: 191362 e2c3970a3358d127cb5482749e48cc13
http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu3.2_amd64.deb
Size/MD5: 202358 44f639898ae4f40527f8627468c1988a
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.2_i386.deb
Size/MD5: 179514 47fbc07f6827ecc074e3dc6e59328fa7
http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu3.2_i386.deb
Size/MD5: 188976 1058bce621e5f89a951cae5e0f59fce8
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.2_lpia.deb
Size/MD5: 180604 ba821107abd87a9fb846db64ad81dc86
http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu3.2_lpia.deb
Size/MD5: 189826 9bd642aa06abe3a56cb38ae624f18c95
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.2_powerpc.deb
Size/MD5: 188868 294ef55b0a3f5b3880d54e3130bac961
http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu3.2_powerpc.deb
Size/MD5: 201382 4acdc25ff7a93ced1a514697bcf2546b
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.2_sparc.deb
Size/MD5: 184224 107e2c84d28f90073a71d7d45e6dabe2
http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu3.2_sparc.deb
Size/MD5: 193928 d283f60b4cf782e724309528a5c37c1f
Updated packages for Ubuntu 9.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.2.diff.gz
Size/MD5: 23991 d7ed14666b7725c1c90ee5373e6b493b
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.2.dsc
Size/MD5: 1117 90f89205701115986ad94c234fec88de
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0.orig.tar.gz
Size/MD5: 744311 5fd96bba35fe29b464f7aa6ad255f0a6
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.2_amd64.deb
Size/MD5: 310330 f7ed720332dc09e94f3caeb5cfd61a23
http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.2_amd64.deb
Size/MD5: 334118 6b5c29f330189dc0c96e90a8c724114e
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.2_i386.deb
Size/MD5: 297788 275954f47eee1e3070a6ed4a8f88a44a
http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.2_i386.deb
Size/MD5: 319396 5b0df976b974fb357dcc96b9eba19a84
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.2_lpia.deb
Size/MD5: 298004 a6fc0c417840fe291f4850c2902c5157
http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.2_lpia.deb
Size/MD5: 319820 12199da9bf6a388eaf395a009f7b1025
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.2_powerpc.deb
Size/MD5: 306012 72df477368ee2b5b88d10bf3f4a04130
http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.2_powerpc.deb
Size/MD5: 328996 e9a0fb7fcdfea28faa433472f77b50d1
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.2_sparc.deb
Size/MD5: 301610 ed2dc9787c8c3c523fc384668e8ee498
http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.2_sparc.deb
Size/MD5: 323674 16f40c45f8ad7679606c5559aba18b70
Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists