The Precise Pangolin has reached end of life, so this bug will not be
fixed for that release
** Changed in: sudo (Ubuntu Precise)
Status: Confirmed => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in
Xenial now has 1.8.16, marking released.
** Changed in: sudo (Ubuntu Xenial)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1512781
** Changed in: sudo (Debian)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1512781
Title:
CVE-2015-5602 - Unauthorized Privilege
> The #else portion of the code may be fine, I haven't studied it
extensively
I doubt this, it relies on comparing inode numbers and devices numbers
returned by lstat() and fstat(). lstat() just like O_FOLLOW only
considers the final component of the path. If it's a symlink, it returns
data about
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-5602
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1512781
Title:
CVE-2015-5602 - Unauthorized
** Bug watch added: bugzilla.sudo.ws/ #707
http://bugzilla.sudo.ws/show_bug.cgi?id=707
** Also affects: sudo via
http://bugzilla.sudo.ws/show_bug.cgi?id=707
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member of Ubuntu
Touch seeded
** Changed in: sudo (Debian)
Status: Unknown => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1512781
Title:
CVE-2015-5602 - Unauthorized Privilege
** Bug watch added: Debian Bug tracker #804149
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804149
** Also affects: sudo (Debian) via
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804149
Importance: Unknown
Status: Unknown
--
You received this bug notification because you
I'm a little surprised this got a CVE number to be honest; allowing
users to edit files via some privileged mechanism when they may control
some portion of the filesystem under consideration is always going to be
dangerous.
sudo cannot actually prevent this -- for example, the patch for this
Ah, the demo program is still illegible only now with pipes. Sigh. I've
attached the program here.
** Attachment added: "o_nofollow.c"
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1512781/+attachment/4512250/+files/o_nofollow.c
--
You received this bug notification because you are a
** Information type changed from Private Security to Public Security
** Also affects: sudo (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: sudo (Ubuntu Wily)
Importance: Undecided
Status: New
** Also affects: sudo (Ubuntu Trusty)
Importance: Undecided
11 matches
Mail list logo
