lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1283867195.4490.2.camel@luna>
Date: Tue, 07 Sep 2010 08:46:35 -0500
From: Jamie Strandboge <jamie@...onical.com>
To: ubuntu-security-announce <ubuntu-security-announce@...ts.ubuntu.com>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>,
	bugtraq@...urityfocus.com
Subject: [USN-983-1] Sudo vulnerability

===========================================================
Ubuntu Security Notice USN-983-1         September 07, 2010
sudo vulnerability
CVE-2010-2956
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 9.10
Ubuntu 10.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 9.10:
  sudo                            1.7.0-1ubuntu2.5
  sudo-ldap                       1.7.0-1ubuntu2.5

Ubuntu 10.04 LTS:
  sudo                            1.7.2p1-1ubuntu5.2
  sudo-ldap                       1.7.2p1-1ubuntu5.2

In general, a standard system update will make all the necessary changes.

Details follow:

Markus Wuethrich discovered that sudo did not always verify the user when a
group was specified in the Runas_Spec. A local attacker could exploit this
to execute arbitrary code as root if sudo was configured to allow the
attacker to use a program as a group when the attacker was not a part of
that group.


Updated packages for Ubuntu 9.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.5.diff.gz
      Size/MD5:    25514 9bfdb8f41c6a5dd5544e6d6b8ab4ac5c
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.5.dsc
      Size/MD5:     1117 431ea989e3fa57b00f8fb13f3e54a025
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0.orig.tar.gz
      Size/MD5:   744311 5fd96bba35fe29b464f7aa6ad255f0a6

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.5_amd64.deb
      Size/MD5:   310700 e0e0a0dc1fb83f31f996679b9b13b01f
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.5_amd64.deb
      Size/MD5:   334376 9492e829a5b04057a804697e644b9644

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.5_i386.deb
      Size/MD5:   298210 70b9f891286606ce2a4b1db2f3676bd4
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.5_i386.deb
      Size/MD5:   319766 c0df54d97c686bccea3a2b986833d44e

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.5_lpia.deb
      Size/MD5:   298316 609d145034a593e5b637c0c5b9e176b8
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.5_lpia.deb
      Size/MD5:   320176 426ef7871e3c372491fbbd8790350857

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.5_powerpc.deb
      Size/MD5:   306220 7b0b1b6e6ee37e4b33a638e7f2ac292e
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.5_powerpc.deb
      Size/MD5:   329152 1b0cb4498c03cc2883c00837bff8bb83

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.5_sparc.deb
      Size/MD5:   301892 f46d44e1a8c46a575c5c4f0700910462
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.5_sparc.deb
      Size/MD5:   323970 7a10f46aa2c9388aa74a342d44c41ac4

Updated packages for Ubuntu 10.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.2p1-1ubuntu5.2.diff.gz
      Size/MD5:    26583 f3077ddbefcc852cb66d71ec63e0013c
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.2p1-1ubuntu5.2.dsc
      Size/MD5:     1131 456ecc22f3b88cb3e60dbfac679b110a
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.2p1.orig.tar.gz
      Size/MD5:   771059 4449d466a774f5ce401c9c0e3866c026

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.2p1-1ubuntu5.2_amd64.deb
      Size/MD5:   326768 29f77801c5304c74366abaecd451080b
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.7.2p1-1ubuntu5.2_amd64.deb
      Size/MD5:   350566 08c716ab408e519bb090e2a46715696c

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.2p1-1ubuntu5.2_i386.deb
      Size/MD5:   312528 8bdaeb041859991919aade6a85c70cd1
    http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.7.2p1-1ubuntu5.2_i386.deb
      Size/MD5:   334432 bf7f83603498e26e4f7618eea82cb836

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.7.2p1-1ubuntu5.2_powerpc.deb
      Size/MD5:   321234 498592d623ad408c02dc9dc3794674ae
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.7.2p1-1ubuntu5.2_powerpc.deb
      Size/MD5:   345118 09a20cd3444df0ac4ac34b0829332fac

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.7.2p1-1ubuntu5.2_sparc.deb
      Size/MD5:   318604 71c8f38d47ed96f07d53192ed729c4e9
    http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.7.2p1-1ubuntu5.2_sparc.deb
      Size/MD5:   341828 99b090b6d40959d6d349439e0e8934ba




Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ