Congratulations, Ubuntu team. You have now fallen behind *Debian's
Stable Release* in a security update to sudo, despite several releases
in between. They even released their newest (24 month development cycle)
in the same month as you. This has been fixed, *fully fixed*, for over a
year now. Epic
Debian hasn't fixed this in squeeze or wheezy yet, it's fixed in
jessie because they have a recent enough version of sudo.
They haven't fixed it because they were never vulnerable: they don't
allow you to change the clock without a password.
We do plan on backporting monolithic timer support,
Really? If the terminal I last ran sudo in is open still on the machine,
and it's unlocked, I couldn't simply change the time back to the
previous sudo command an escalate?
Even if it's a remote chance, it's still an easy exploit.
/var/log/auth.log is certainly readable by a program that uses a
Notice that only the SID changed though. That gives me a 1 in 32k
chance, and I can generate them basically at will with setsid. In my
testing so far, the inode of the TTY file for /dev/pts/0 has stayed 3
across several reboots. If it doesn't change, then it is moot from a
security standpoint.
To clarify: I reboot, log in, open gnome-terminal. The tty is always
/dev/pts/0, and ls -i /dev/pts/0 shows an inode of 3. This occurs even
if I shut down and power back on, though admittedly in a VM.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded
Yup, I think so. while true; do setsid something to run sudo; done; or
the like. In my tests rolling through then all took about 5 minutes, and
that was in a crappy VM with 1 core and 30% CPU being used by compiz. I
haven't gotten it to pop an escalated shell yet, but I'll poke at it
more tonight
Without rebooting, the tty, inode, sid should change for every
terminal you open.
When I tried this on 15.04, the tty and inode didnt: only the SID
changed. Closing a gnome-terminal and reopening it got the same tty and
SID. For *additional* terminals, they got new ttys and inodes, but if
you
Oh, nevermind! You're talking about outside of the sudo instance. In the
case of Cron, etc: just let *the user* decide whether they want to be
asked after the first time. Make it an option to unlock the clock,
disabled by default but still available.
--
You received this bug notification because
Kay, the update to sudo (1.8.10) actually solves this by using the
monotonic clock. All that needs to happen is for Ubuntu to udpate to it.
:)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
You can set the time with:
timedatectl set-time 2000-01-01 10:00:00
Wow. Yeah, that'll make exploiting this *much* easier on desktop.
Fortunately Ubuntu Server doesn't allow this without authenticating.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded
Tyler,
it's great that this bug will be fixed. However, I have some concerns about the
mitigations factors.
1) Timestamp: Easily found in the auth.log, and easily bypassed due to
an unlocked clock.
2) TTY: The tty of the first gnome-terminal running is (as far as I can
tell) /dev/pts/0. That's
Indeed. Trojaning those requires waiting for the user. Why lay a trap
and wait when you can just break down the door? If I can use dogtail or
similar to automate the clock and suddenly we're in drive-by territory.
--
You received this bug notification because you are a member of Ubuntu
Touch
It looks like sudo 1.8.12 made it into 15.10 finally. Excellent. Apple
went the other route and locked the clock back down.
(https://support.apple.com/en-us/HT205031)
The CVE associated with this bug seems to be about the TZ (seen on
RedHat's security site:
** Changed in: initramfs-tools (Ubuntu)
Status: Confirmed => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1555147
Title:
package
This turned out to be a problem with the user not being in the audio and
pulse-access groups. Also the back panel speaker out only has one
channel working, however the front panel headphone connector works fine.
So I just use the front panel headphone jack.
** Attachment removed: "AlsaInfo.txt"
Public bug reported:
I have no audio output with the following configuration:
*-multimedia
description: Audio device
product: MCP61 High Definition Audio
vendor: NVIDIA Corporation
physical id: 5
bus info: pci@:00:05.0
version: a2
** Attachment removed: "PulseList.txt"
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1672562/+attachment/4837341/+files/PulseList.txt
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pulseaudio in Ubuntu.
** Attachment removed: "CurrentDmesg.txt"
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1672562/+attachment/4837338/+files/CurrentDmesg.txt
** Attachment removed: "JournalErrors.txt"
I *might* have a possible clue for the gdebi gui crash in Bionic.
If I right click on a .deb file and tell it to install with gdebi the gui will
crash.
If I open a terminal in the same directory as the file and launch gdebi-gtk
*.deb the gui will install and uninstall the .deb file without
Public bug reported:
I left the Beta of Focal Fossa running overnight and when I logged in
this morning, I found an open Authentication window with the message "To
change software repository settings, you need to authenticate" (see
attached screenshot).
I enter my password and the password field
I attempted to make a change to a repository by launching Software &
Updates and editing an unselected package from eoan to fossa - the
authentication window persisted at the top left of my screen throughout
- even after entering my credentials in the central authentication
window that popped up
Public bug reported:
I had successfully opened settings and used it to change some of the desktop
options (size of the docker icons, etc.).
Then I clicked on "Users" and ubuntu-settings crashed.
Since then, I am unable to open ubuntu-settings - it will open and flash up on
the screen before
Public bug reported:
When I use the new (24.04) settings and 'Online Accounts' to connect to
Microsoft 365, it authenticates, works well for about 5 minutes and then
disconnects.
I have to remove that account and redo it every time I want to use it.
ProblemType: Bug
DistroRelease: Ubuntu 24.04
23 matches
Mail list logo
