Your message dated Tue, 05 Jan 2016 19:06:00 +0000
with message-id <[email protected]>
and subject line Bug#804149: fixed in sudo 1.7.4p4-2.squeeze.6
has caused the Debian Bug report #804149,
regarding CVE-2015-5602: Unauthorized privilege escalation in sudoedit
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
804149: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804149
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: sudo
Version: 1.7.4p4-2.squeeze.4
Severity: critical
Tags: upstream security
Justification: root security hole
Hi,
Apparently a security has been disclosed (CVE-2015-5602) allowing users
to open files with sudoedit that is not supposed to using a symlinks,
see: https://www.exploit-db.com/exploits/37710/
Upstream has released a new fixed version by no following the symlinks
by default.
But according to this comment[0], this is not fixing the issue
completely.
Cheers,
Laurent Bigonville
[0]
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1512781/comments/1
--- End Message ---
--- Begin Message ---
Source: sudo
Source-Version: 1.7.4p4-2.squeeze.6
We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ben Hutchings <[email protected]> (supplier of updated sudo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 05 Jan 2016 18:45:35 +0000
Source: sudo
Binary: sudo sudo-ldap
Architecture: source
Version: 1.7.4p4-2.squeeze.6
Distribution: squeeze-lts
Urgency: medium
Maintainer: Bdale Garbee <[email protected]>
Changed-By: Ben Hutchings <[email protected]>
Description:
sudo - Provide limited super user privileges to specific users
sudo-ldap - Provide limited super user privileges to specific users
Closes: 804149
Changes:
sudo (1.7.4p4-2.squeeze.6) squeeze-lts; urgency=medium
.
* Non-maintainer upload by the Debian LTS team
* Disable editing of files via user-controllable symlinks
(Closes: #804149) (CVE-2015-5602)
- sudoedit path restriction bypass using symlinks
- Change warning when user tries to sudoedit a symbolic link
- Open sudoedit files with O_NONBLOCK and fail if they are not regular
files
- Remove S_ISREG check from sudo_edit_open(), it is already done in the
caller
- Add directory writability checks for sudoedit
- Fix directory writability checks for sudoedit
- Enable sudoedit directory writability checks by default
Checksums-Sha1:
0b6546bec910002b7a493429f0f9a3b3b85a10e6 1779 sudo_1.7.4p4-2.squeeze.6.dsc
09ba4b9d788cd28d569fb07d3623a5a0fcc40142 101408
sudo_1.7.4p4-2.squeeze.6.debian.tar.xz
Checksums-Sha256:
3aa35f05b2b64aa9a33942f6f1b0363e55a30cb1df0e3a74f0766696979eddd5 1779
sudo_1.7.4p4-2.squeeze.6.dsc
4c8c43f2d90bd8474ddbc110a5c4df10f76a5b047382f970684e76c99b37fd57 101408
sudo_1.7.4p4-2.squeeze.6.debian.tar.xz
Files:
0c4b01e91a293233c607012ac50ff93f 1779 admin optional
sudo_1.7.4p4-2.squeeze.6.dsc
a02eb94481caea038b6ed0a97ed1aee4 101408 admin optional
sudo_1.7.4p4-2.squeeze.6.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBVowPwee/yOyVhhEJAQqQxw/+OktRIYg84bOhlYuQTpbdqH9GN2WBlJFV
OwQTFf7JlZla8COfzUT5x/oC44liJ8PozLz1kMReYzdRCJqG76qbLhO49pbsi3o7
Gi3o/zkc6kmWW1SwoArvC8/du27yFRj1UE68kcVjlI883wxuEwxjpHB473i/nCKB
IPU5KIRmhBAdJ9GrG/kMEG9Wwur/V9H//9Z9VCAKzqwZGvd/xftt5UO0aiFnDOiU
aQ+F9ovhcf+1P7uVRkGTi/012yb20WTzShk0wOA8jCswOKtVoPkedFM/IeVmuXW5
38ufU7DdvYMhq8UlRDKlaVWaKcXYFBKrsc7XJS00Ju7cMeefUnBzdH4JKeX2LiC2
+nT/Nz7FsQWDSdky75YZ4Vy2X0bGGZTR4wcuVzOfgpRqVQIbuFfQ8ONtnULVu8ga
sXOF7Mcr+jHnxEHRTcc74ZNW97ErG+HSiK/r6MyAaAkMt6l9vUDxAIA0yZreGY6L
2b6X5EmTRJNU99lDPuAs3An8UBJGxl9v02qQpgE98LaP40upKg6G0CzAujxFORys
tTiAcCN2cPTunbnUOm8YWWFGQqnsMhWLwPGTFxW/BlcjzizTi2RNaFqtL2toPZ7d
g4XiTjeN69hR2lZ+V+K6GnstsgAlwkr91pzUD8UjFTQdVYhSkgUeFNOwSocnvbyC
dopIaJqjb1U=
=S2BM
-----END PGP SIGNATURE-----
--- End Message ---
