Your message dated Thu, 14 Jan 2016 23:17:42 +0000
with message-id <[email protected]>
and subject line Bug#804149: fixed in sudo 1.8.5p2-1+nmu3+deb7u1
has caused the Debian Bug report #804149,
regarding CVE-2015-5602: Unauthorized privilege escalation in sudoedit
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
804149: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804149
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: sudo
Version: 1.7.4p4-2.squeeze.4
Severity: critical
Tags: upstream security
Justification: root security hole
Hi,
Apparently a security has been disclosed (CVE-2015-5602) allowing users
to open files with sudoedit that is not supposed to using a symlinks,
see: https://www.exploit-db.com/exploits/37710/
Upstream has released a new fixed version by no following the symlinks
by default.
But according to this comment[0], this is not fixing the issue
completely.
Cheers,
Laurent Bigonville
[0]
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1512781/comments/1
--- End Message ---
--- Begin Message ---
Source: sudo
Source-Version: 1.8.5p2-1+nmu3+deb7u1
We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ben Hutchings <[email protected]> (supplier of updated sudo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 05 Jan 2016 18:48:03 +0000
Source: sudo
Binary: sudo sudo-ldap
Architecture: source
Version: 1.8.5p2-1+nmu3+deb7u1
Distribution: wheezy-security
Urgency: medium
Maintainer: Bdale Garbee <[email protected]>
Changed-By: Ben Hutchings <[email protected]>
Description:
sudo - Provide limited super user privileges to specific users
sudo-ldap - Provide limited super user privileges to specific users
Closes: 804149
Changes:
sudo (1.8.5p2-1+nmu3+deb7u1) wheezy-security; urgency=medium
.
* Non-maintainer upload
* Fix CVE-2014-9680-{1,2}.patch to edit sudoers.pod, not just the
generated docs
* Disable editing of files via user-controllable symlinks
(Closes: #804149) (CVE-2015-5602)
- sudoedit path restriction bypass using symlinks
- Change warning when user tries to sudoedit a symbolic link
- Open sudoedit files with O_NONBLOCK and fail if they are not regular
files
- Remove S_ISREG check from sudo_edit_open(), it is already done in the
caller
- Add directory writability checks for sudoedit
- Fix directory writability checks for sudoedit
- Enable sudoedit directory writability checks by default
Checksums-Sha1:
3eff89c542097326b8ff7e11ce97f25f52f14528 1959 sudo_1.8.5p2-1+nmu3+deb7u1.dsc
95194417f876b27f53559b4df6fbd639763fbbd4 95564
sudo_1.8.5p2-1+nmu3+deb7u1.debian.tar.xz
Checksums-Sha256:
663ade0adb880e4693d8b0be936f274f9308c42978e0f8113efd92b72badf0d2 1959
sudo_1.8.5p2-1+nmu3+deb7u1.dsc
3011009364604bf9adccab4bcd65b1551b4cf398bef698d9ab3dd6f75efc2380 95564
sudo_1.8.5p2-1+nmu3+deb7u1.debian.tar.xz
Files:
6fa73e4b848b9cbc8cd05eeb7922351a 1959 admin optional
sudo_1.8.5p2-1+nmu3+deb7u1.dsc
db482baf1d123b4f78aa10cf7103b5cb 95564 admin optional
sudo_1.8.5p2-1+nmu3+deb7u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBVowbIue/yOyVhhEJAQq1zxAAiz4TEHIo/gzeccu9yG73vNvbQ38igY9b
y/AeMG7tQHM1XbR4Ki9QiqMuJhWDz5MSbgE6Ub4EKuEX4ZByZ1VJhWGUl99JRcj9
uI15FlISH+MvMmSJHXgKb0pIUpwvxI1NXE//fy5hfmVg4UkLHrNVmciK4o0B6jEw
n3UAF4yfEPo0wWJ41l1eLzD4OMGsRGcAV9MK92AenkYOKlM3Nf3vgBDKk2vnnYcU
hpxLobz+lEV9eiWLUWyrcRgg1H8f7cFAcA69158Ul95MTeGbroIadtnz9YeQiL2p
iWuLZAI/+IlC87vR0dRkHjyKKwKXXRRaCljeaXJVGS6lTd0BO9JRVi1T4rnVyTEw
EZnofLf4W/ONmRRWeTxMZuRqQuSHa0nsVFumUpo2Qj6QY9WU7lCUvOsxRV/OEQwh
0IXcJkPcK9yOI1sb77E6YXiSGEgXfUXXpbhHhTfg6hVWBPMSSBgIDbpUY77uLHO2
HZOZhkh1YFYprammoIx8XvFxv3fyFLe8Meya7LLO25e83JZ+1j5fPMaYVvXAxCWd
N+Vt/p8svnLHqwWJMQrk6k/89f6fBaNNF2+Tvlz0M14+P/7ThZ2CIXjXHpFZkEmG
gxLIpm1N0OY9HKZmR8ZOLiDh/mBPfh1xzuIwnlap+p+UJJ4Rpcz+Gp8FsyfJBAQx
lExOrGiMh9I=
=/BZX
-----END PGP SIGNATURE-----
--- End Message ---
