OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 17-Jan-2005 13:29:50
Branch: HEAD Handle: 2005011712294900
Modified files:
openpkg-web/security OpenPKG-SA-2005.002-sudo.txt
Log:
release OpenPKG Security Advisory 2005.002 (sudo)
Summary:
Revision Changes Path
1.2 +19 -10 openpkg-web/security/OpenPKG-SA-2005.002-sudo.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2005.002-sudo.txt
============================================================================
$ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2005.002-sudo.txt
--- openpkg-web/security/OpenPKG-SA-2005.002-sudo.txt 14 Jan 2005 15:43:15
-0000 1.1
+++ openpkg-web/security/OpenPKG-SA-2005.002-sudo.txt 17 Jan 2005 12:29:49
-0000 1.2
@@ -1,9 +1,12 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
-OpenPKG-SA-2005.002 14-Jan-2005
+OpenPKG-SA-2005.002 17-Jan-2005
________________________________________________________________________
Package: sudo
@@ -18,13 +21,13 @@
Dependent Packages: none
Description:
- Liam Helmer discovered a design flaw in sudo [0], a program used to
- control user privilege escalation. The sudo function rebuild_env()
+ Liam Helmer discovered a design flaw in Sudo [0], a program used to
+ control user privilege escalation. The Sudo function rebuild_env()
fails to sufficiently clean potentially dangerous variables from
the environment passed to the program to be executed. An attacker
- with sudo access to a shell script that uses bash may therefore run
- arbitrary commands with other (including superuser) privileges. The
- Common Vulnerabilities and Exposures (CVE) project assigned the
+ with Sudo access to a shell script that uses GNU Bash may therefore
+ run arbitrary commands with other (including superuser) privileges.
+ The Common Vulnerabilities and Exposures (CVE) project assigned the
identifier CAN-2004-1051 [1] to the problem.
Please check whether you are affected by running "<prefix>/bin/openpkg
@@ -33,10 +36,9 @@
(see Solution) [2][3].
Workaround:
- Add a line to the sudoers file containing the text 'Defaults env_reset'.
- This causes the environment to only contain the variables HOME, LOGNAME,
- PATH, SHELL, TERM, and USER, thus preventing an attack. Please ignore
- this workaround and instead apply the full solution as described below.
+ Add a line to the sudoers file containing the text 'Defaults
+ env_reset'. This causes the environment to only contain the variables
+ HOME, LOGNAME, PATH, SHELL, TERM, and USER, thus preventing an attack.
Solution:
Select the updated source RPM appropriate for your OpenPKG release
@@ -77,3 +79,10 @@
for details on how to verify the integrity of this advisory.
________________________________________________________________________
+-----BEGIN PGP SIGNATURE-----
+Comment: OpenPKG <[EMAIL PROTECTED]>
+
+iD8DBQFB66+ugHWT4GPEy58RAmbnAKD11oxrYLF/oKusAvLc7yhY606SDwCgyPFc
+NlNjIk/xso2hVQ17fKfCKbA=
+=kozt
+-----END PGP SIGNATURE-----
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [email protected]
