[Touch-packages] [Bug 1915307] Re: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)
This bug was fixed in the package sudo - 1.9.5p2-2ubuntu3 --- sudo (1.9.5p2-2ubuntu3) hirsute; urgency=medium * No change rebuild with fixed ownership. -- Dimitri John Ledkov Thu, 18 Feb 2021 00:03:21 + ** Changed in: sudo (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1915307 Title: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main) Status in sudo package in Ubuntu: Fix Released Bug description: This requires a merge because there are changes in the Ubuntu version not present in the Debian version. -- Justification of patches removed from debian/patches/series -- * typo-in-classic-insults.diff * This exact patch is present in upstream version 1.9.5p2-2 * paths-in-samples.diff * This exact patch is present in upstream version 1.9.5p2-2 * Whitelist-DPKG_COLORS-environment-variable.diff * This exact patch is present in upstream version 1.9.5p2-2 * CVE-2021-23239.patch * This exact patch is NOT present in upstream version 1.9.5p2-2 * The patch is made to address a vulnerability wherein users were able to gain information about what directories existed that they should not have had access to. * Upstream version 1.9.5p2-2 addresses this vulnerability using the function sudo_edit_parent_valid in the file src/sudo_edit.c * Since the vulnerability is addressed in upstream version 1.9.5p2-2 it can safely be dropped * CVE-2021-3156-1.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-2.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-3.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-4.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-5.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * ineffective_no_root_mailer.patch * This exact patch is present in upstream version 1.9.5p2-2 under the name fix-no-root-mailer.diff Changes: * Merge from Debian unstable. (LP: #1915307) Remaining changes: - debian/rules: + use dh-autoreconf - debian/rules: stop shipping init scripts, as they are no longer necessary. - debian/rules: + compile with --without-lecture --with-tty-tickets --enable-admin-flag + install man/man8/sudo_root.8 in both flavours + install apport hooks - debian/sudo-ldap.dirs, debian/sudo.dirs: + add usr/share/apport/package-hooks - debian/sudo.pam: + Use pam_env to read /etc/environment and /etc/default/locale environment files. Reading ~/.pam_environment is not permitted due to security reasons. - debian/sudoers: + also grant admin group sudo access + include /snap/bin in the secure_path sudo (1.9.5p2-2) unstable; urgency=medium * patch from upstream repo to fix NO_ROOT_MAILER sudo (1.9.5p2-1) unstable; urgency=high * new upstream version, addresses CVE-2021-3156 sudo (1.9.5p1-1.1) unstable; urgency=high * Non-maintainer upload. * Heap-based buffer overflow (CVE-2021-3156) - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit - Add sudoedit flag checks in plugin that are consistent with front-end - Fix potential buffer overflow when unescaping backslashes in user_args - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL - Don't assume that argv is allocated as a single flat buffer sudo (1.9.5p1-1) unstable; urgency=medium * new upstream version, closes: #980028 sudo (1.9.5-1) unstable; urgency=medium * new upstream version sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER in plugins/sudoers/logging.c, plugins/sudoers/policy.c. - No CVE number sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium * SECURITY UPDATE: dir existence issue via sudoedit race - debian/patches/CVE-2021-23239.patch: fix potential directory existing info leak in sudoedit in src/sudo_edit.c. - CVE-2021-23239 * SECURITY UPDATE: heap-based buffer overflow - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to MODE_NONINTERACTIVE for sudoedit in src/parse_args.c. - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in plugin in plugins/sudoers/policy.c. - debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow when unescaping backslashes in plugins/sudoers/sudoers.c. -
[Touch-packages] [Bug 1915307] Re: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)
** Tags removed: block-proposed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1915307 Title: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main) Status in sudo package in Ubuntu: Fix Committed Bug description: This requires a merge because there are changes in the Ubuntu version not present in the Debian version. -- Justification of patches removed from debian/patches/series -- * typo-in-classic-insults.diff * This exact patch is present in upstream version 1.9.5p2-2 * paths-in-samples.diff * This exact patch is present in upstream version 1.9.5p2-2 * Whitelist-DPKG_COLORS-environment-variable.diff * This exact patch is present in upstream version 1.9.5p2-2 * CVE-2021-23239.patch * This exact patch is NOT present in upstream version 1.9.5p2-2 * The patch is made to address a vulnerability wherein users were able to gain information about what directories existed that they should not have had access to. * Upstream version 1.9.5p2-2 addresses this vulnerability using the function sudo_edit_parent_valid in the file src/sudo_edit.c * Since the vulnerability is addressed in upstream version 1.9.5p2-2 it can safely be dropped * CVE-2021-3156-1.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-2.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-3.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-4.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-5.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * ineffective_no_root_mailer.patch * This exact patch is present in upstream version 1.9.5p2-2 under the name fix-no-root-mailer.diff Changes: * Merge from Debian unstable. (LP: #1915307) Remaining changes: - debian/rules: + use dh-autoreconf - debian/rules: stop shipping init scripts, as they are no longer necessary. - debian/rules: + compile with --without-lecture --with-tty-tickets --enable-admin-flag + install man/man8/sudo_root.8 in both flavours + install apport hooks - debian/sudo-ldap.dirs, debian/sudo.dirs: + add usr/share/apport/package-hooks - debian/sudo.pam: + Use pam_env to read /etc/environment and /etc/default/locale environment files. Reading ~/.pam_environment is not permitted due to security reasons. - debian/sudoers: + also grant admin group sudo access + include /snap/bin in the secure_path sudo (1.9.5p2-2) unstable; urgency=medium * patch from upstream repo to fix NO_ROOT_MAILER sudo (1.9.5p2-1) unstable; urgency=high * new upstream version, addresses CVE-2021-3156 sudo (1.9.5p1-1.1) unstable; urgency=high * Non-maintainer upload. * Heap-based buffer overflow (CVE-2021-3156) - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit - Add sudoedit flag checks in plugin that are consistent with front-end - Fix potential buffer overflow when unescaping backslashes in user_args - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL - Don't assume that argv is allocated as a single flat buffer sudo (1.9.5p1-1) unstable; urgency=medium * new upstream version, closes: #980028 sudo (1.9.5-1) unstable; urgency=medium * new upstream version sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER in plugins/sudoers/logging.c, plugins/sudoers/policy.c. - No CVE number sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium * SECURITY UPDATE: dir existence issue via sudoedit race - debian/patches/CVE-2021-23239.patch: fix potential directory existing info leak in sudoedit in src/sudo_edit.c. - CVE-2021-23239 * SECURITY UPDATE: heap-based buffer overflow - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to MODE_NONINTERACTIVE for sudoedit in src/parse_args.c. - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in plugin in plugins/sudoers/policy.c. - debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow when unescaping backslashes in plugins/sudoers/sudoers.c. - debian/patches/CVE-2021-3156-4.patch: fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL in plugins/sudoers/timestamp.c. - debian/patches/CVE-2021-3156-5.patch: don't assume that argv is allocated as a single flat buffer in
[Touch-packages] [Bug 1915307] Re: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)
Looks like the permissions issue is caused by https://bugs.launchpad.net/ubuntu/+source/fakeroot/+bug/1915250 and everything is now frozen until that is fixed. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1915307 Title: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main) Status in sudo package in Ubuntu: Fix Committed Bug description: This requires a merge because there are changes in the Ubuntu version not present in the Debian version. -- Justification of patches removed from debian/patches/series -- * typo-in-classic-insults.diff * This exact patch is present in upstream version 1.9.5p2-2 * paths-in-samples.diff * This exact patch is present in upstream version 1.9.5p2-2 * Whitelist-DPKG_COLORS-environment-variable.diff * This exact patch is present in upstream version 1.9.5p2-2 * CVE-2021-23239.patch * This exact patch is NOT present in upstream version 1.9.5p2-2 * The patch is made to address a vulnerability wherein users were able to gain information about what directories existed that they should not have had access to. * Upstream version 1.9.5p2-2 addresses this vulnerability using the function sudo_edit_parent_valid in the file src/sudo_edit.c * Since the vulnerability is addressed in upstream version 1.9.5p2-2 it can safely be dropped * CVE-2021-3156-1.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-2.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-3.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-4.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-5.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * ineffective_no_root_mailer.patch * This exact patch is present in upstream version 1.9.5p2-2 under the name fix-no-root-mailer.diff Changes: * Merge from Debian unstable. (LP: #1915307) Remaining changes: - debian/rules: + use dh-autoreconf - debian/rules: stop shipping init scripts, as they are no longer necessary. - debian/rules: + compile with --without-lecture --with-tty-tickets --enable-admin-flag + install man/man8/sudo_root.8 in both flavours + install apport hooks - debian/sudo-ldap.dirs, debian/sudo.dirs: + add usr/share/apport/package-hooks - debian/sudo.pam: + Use pam_env to read /etc/environment and /etc/default/locale environment files. Reading ~/.pam_environment is not permitted due to security reasons. - debian/sudoers: + also grant admin group sudo access + include /snap/bin in the secure_path sudo (1.9.5p2-2) unstable; urgency=medium * patch from upstream repo to fix NO_ROOT_MAILER sudo (1.9.5p2-1) unstable; urgency=high * new upstream version, addresses CVE-2021-3156 sudo (1.9.5p1-1.1) unstable; urgency=high * Non-maintainer upload. * Heap-based buffer overflow (CVE-2021-3156) - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit - Add sudoedit flag checks in plugin that are consistent with front-end - Fix potential buffer overflow when unescaping backslashes in user_args - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL - Don't assume that argv is allocated as a single flat buffer sudo (1.9.5p1-1) unstable; urgency=medium * new upstream version, closes: #980028 sudo (1.9.5-1) unstable; urgency=medium * new upstream version sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER in plugins/sudoers/logging.c, plugins/sudoers/policy.c. - No CVE number sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium * SECURITY UPDATE: dir existence issue via sudoedit race - debian/patches/CVE-2021-23239.patch: fix potential directory existing info leak in sudoedit in src/sudo_edit.c. - CVE-2021-23239 * SECURITY UPDATE: heap-based buffer overflow - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to MODE_NONINTERACTIVE for sudoedit in src/parse_args.c. - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in plugin in plugins/sudoers/policy.c. - debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow when unescaping backslashes in plugins/sudoers/sudoers.c. - debian/patches/CVE-2021-3156-4.patch: fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL in
[Touch-packages] [Bug 1915307] Re: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)
** Tags added: block-proposed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1915307 Title: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main) Status in sudo package in Ubuntu: Fix Committed Bug description: This requires a merge because there are changes in the Ubuntu version not present in the Debian version. -- Justification of patches removed from debian/patches/series -- * typo-in-classic-insults.diff * This exact patch is present in upstream version 1.9.5p2-2 * paths-in-samples.diff * This exact patch is present in upstream version 1.9.5p2-2 * Whitelist-DPKG_COLORS-environment-variable.diff * This exact patch is present in upstream version 1.9.5p2-2 * CVE-2021-23239.patch * This exact patch is NOT present in upstream version 1.9.5p2-2 * The patch is made to address a vulnerability wherein users were able to gain information about what directories existed that they should not have had access to. * Upstream version 1.9.5p2-2 addresses this vulnerability using the function sudo_edit_parent_valid in the file src/sudo_edit.c * Since the vulnerability is addressed in upstream version 1.9.5p2-2 it can safely be dropped * CVE-2021-3156-1.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-2.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-3.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-4.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-5.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * ineffective_no_root_mailer.patch * This exact patch is present in upstream version 1.9.5p2-2 under the name fix-no-root-mailer.diff Changes: * Merge from Debian unstable. (LP: #1915307) Remaining changes: - debian/rules: + use dh-autoreconf - debian/rules: stop shipping init scripts, as they are no longer necessary. - debian/rules: + compile with --without-lecture --with-tty-tickets --enable-admin-flag + install man/man8/sudo_root.8 in both flavours + install apport hooks - debian/sudo-ldap.dirs, debian/sudo.dirs: + add usr/share/apport/package-hooks - debian/sudo.pam: + Use pam_env to read /etc/environment and /etc/default/locale environment files. Reading ~/.pam_environment is not permitted due to security reasons. - debian/sudoers: + also grant admin group sudo access + include /snap/bin in the secure_path sudo (1.9.5p2-2) unstable; urgency=medium * patch from upstream repo to fix NO_ROOT_MAILER sudo (1.9.5p2-1) unstable; urgency=high * new upstream version, addresses CVE-2021-3156 sudo (1.9.5p1-1.1) unstable; urgency=high * Non-maintainer upload. * Heap-based buffer overflow (CVE-2021-3156) - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit - Add sudoedit flag checks in plugin that are consistent with front-end - Fix potential buffer overflow when unescaping backslashes in user_args - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL - Don't assume that argv is allocated as a single flat buffer sudo (1.9.5p1-1) unstable; urgency=medium * new upstream version, closes: #980028 sudo (1.9.5-1) unstable; urgency=medium * new upstream version sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER in plugins/sudoers/logging.c, plugins/sudoers/policy.c. - No CVE number sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium * SECURITY UPDATE: dir existence issue via sudoedit race - debian/patches/CVE-2021-23239.patch: fix potential directory existing info leak in sudoedit in src/sudo_edit.c. - CVE-2021-23239 * SECURITY UPDATE: heap-based buffer overflow - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to MODE_NONINTERACTIVE for sudoedit in src/parse_args.c. - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in plugin in plugins/sudoers/policy.c. - debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow when unescaping backslashes in plugins/sudoers/sudoers.c. - debian/patches/CVE-2021-3156-4.patch: fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL in plugins/sudoers/timestamp.c. - debian/patches/CVE-2021-3156-5.patch: don't assume that argv is allocated as a single flat buffer in
[Touch-packages] [Bug 1915307] Re: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)
The version of sudo in the repos already prior to this (1.9.4p2-2ubuntu3) works as expected, though, with proper permissions being set: root@hirsute-test:~# apt-cache policy sudo sudo: Installed: 1.9.4p2-2ubuntu3 Candidate: 1.9.4p2-2ubuntu3 Version table: 1.9.5p2-2ubuntu1 400 400 http://us.archive.ubuntu.com/ubuntu hirsute-proposed/main amd64 Packages *** 1.9.4p2-2ubuntu3 500 500 http://us.archive.ubuntu.com/ubuntu hirsute/main amd64 Packages 100 /var/lib/dpkg/status root@hirsute-test:~# ls -al $(which sudo) -rwsr-xr-x 1 root root 182760 Jan 30 19:35 /usr/bin/sudo -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1915307 Title: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main) Status in sudo package in Ubuntu: Fix Committed Bug description: This requires a merge because there are changes in the Ubuntu version not present in the Debian version. -- Justification of patches removed from debian/patches/series -- * typo-in-classic-insults.diff * This exact patch is present in upstream version 1.9.5p2-2 * paths-in-samples.diff * This exact patch is present in upstream version 1.9.5p2-2 * Whitelist-DPKG_COLORS-environment-variable.diff * This exact patch is present in upstream version 1.9.5p2-2 * CVE-2021-23239.patch * This exact patch is NOT present in upstream version 1.9.5p2-2 * The patch is made to address a vulnerability wherein users were able to gain information about what directories existed that they should not have had access to. * Upstream version 1.9.5p2-2 addresses this vulnerability using the function sudo_edit_parent_valid in the file src/sudo_edit.c * Since the vulnerability is addressed in upstream version 1.9.5p2-2 it can safely be dropped * CVE-2021-3156-1.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-2.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-3.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-4.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-5.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * ineffective_no_root_mailer.patch * This exact patch is present in upstream version 1.9.5p2-2 under the name fix-no-root-mailer.diff Changes: * Merge from Debian unstable. (LP: #1915307) Remaining changes: - debian/rules: + use dh-autoreconf - debian/rules: stop shipping init scripts, as they are no longer necessary. - debian/rules: + compile with --without-lecture --with-tty-tickets --enable-admin-flag + install man/man8/sudo_root.8 in both flavours + install apport hooks - debian/sudo-ldap.dirs, debian/sudo.dirs: + add usr/share/apport/package-hooks - debian/sudo.pam: + Use pam_env to read /etc/environment and /etc/default/locale environment files. Reading ~/.pam_environment is not permitted due to security reasons. - debian/sudoers: + also grant admin group sudo access + include /snap/bin in the secure_path sudo (1.9.5p2-2) unstable; urgency=medium * patch from upstream repo to fix NO_ROOT_MAILER sudo (1.9.5p2-1) unstable; urgency=high * new upstream version, addresses CVE-2021-3156 sudo (1.9.5p1-1.1) unstable; urgency=high * Non-maintainer upload. * Heap-based buffer overflow (CVE-2021-3156) - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit - Add sudoedit flag checks in plugin that are consistent with front-end - Fix potential buffer overflow when unescaping backslashes in user_args - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL - Don't assume that argv is allocated as a single flat buffer sudo (1.9.5p1-1) unstable; urgency=medium * new upstream version, closes: #980028 sudo (1.9.5-1) unstable; urgency=medium * new upstream version sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER in plugins/sudoers/logging.c, plugins/sudoers/policy.c. - No CVE number sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium * SECURITY UPDATE: dir existence issue via sudoedit race - debian/patches/CVE-2021-23239.patch: fix potential directory existing info leak in sudoedit in src/sudo_edit.c. - CVE-2021-23239 * SECURITY UPDATE: heap-based buffer overflow - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to MODE_NONINTERACTIVE
[Touch-packages] [Bug 1915307] Re: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)
Confirmed the regression that iLogin sees. >From within a hirsute daily LXD container with full apt update and apt dist-upgrade done to it, with `sudo apt install -t hirsute-proposed sudo` done to get the sudo AND updated libc it requires): root@hirsute-test:~# ls -al $(which sudo) -rwsr-xr-x 1 2001 2501 190952 Feb 10 11:42 /usr/bin/sudo root@hirsute-test:~# sudo sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set Which means the package does not work as intended, and will break. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1915307 Title: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main) Status in sudo package in Ubuntu: Fix Committed Bug description: This requires a merge because there are changes in the Ubuntu version not present in the Debian version. -- Justification of patches removed from debian/patches/series -- * typo-in-classic-insults.diff * This exact patch is present in upstream version 1.9.5p2-2 * paths-in-samples.diff * This exact patch is present in upstream version 1.9.5p2-2 * Whitelist-DPKG_COLORS-environment-variable.diff * This exact patch is present in upstream version 1.9.5p2-2 * CVE-2021-23239.patch * This exact patch is NOT present in upstream version 1.9.5p2-2 * The patch is made to address a vulnerability wherein users were able to gain information about what directories existed that they should not have had access to. * Upstream version 1.9.5p2-2 addresses this vulnerability using the function sudo_edit_parent_valid in the file src/sudo_edit.c * Since the vulnerability is addressed in upstream version 1.9.5p2-2 it can safely be dropped * CVE-2021-3156-1.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-2.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-3.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-4.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-5.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * ineffective_no_root_mailer.patch * This exact patch is present in upstream version 1.9.5p2-2 under the name fix-no-root-mailer.diff Changes: * Merge from Debian unstable. (LP: #1915307) Remaining changes: - debian/rules: + use dh-autoreconf - debian/rules: stop shipping init scripts, as they are no longer necessary. - debian/rules: + compile with --without-lecture --with-tty-tickets --enable-admin-flag + install man/man8/sudo_root.8 in both flavours + install apport hooks - debian/sudo-ldap.dirs, debian/sudo.dirs: + add usr/share/apport/package-hooks - debian/sudo.pam: + Use pam_env to read /etc/environment and /etc/default/locale environment files. Reading ~/.pam_environment is not permitted due to security reasons. - debian/sudoers: + also grant admin group sudo access + include /snap/bin in the secure_path sudo (1.9.5p2-2) unstable; urgency=medium * patch from upstream repo to fix NO_ROOT_MAILER sudo (1.9.5p2-1) unstable; urgency=high * new upstream version, addresses CVE-2021-3156 sudo (1.9.5p1-1.1) unstable; urgency=high * Non-maintainer upload. * Heap-based buffer overflow (CVE-2021-3156) - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit - Add sudoedit flag checks in plugin that are consistent with front-end - Fix potential buffer overflow when unescaping backslashes in user_args - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL - Don't assume that argv is allocated as a single flat buffer sudo (1.9.5p1-1) unstable; urgency=medium * new upstream version, closes: #980028 sudo (1.9.5-1) unstable; urgency=medium * new upstream version sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER in plugins/sudoers/logging.c, plugins/sudoers/policy.c. - No CVE number sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium * SECURITY UPDATE: dir existence issue via sudoedit race - debian/patches/CVE-2021-23239.patch: fix potential directory existing info leak in sudoedit in src/sudo_edit.c. - CVE-2021-23239 * SECURITY UPDATE: heap-based buffer overflow - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to MODE_NONINTERACTIVE for sudoedit in src/parse_args.c. - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag
[Touch-packages] [Bug 1915307] Re: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)
Yep ** Attachment added: "Screenshot_20210216_040220.png" https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1915307/+attachment/5464005/+files/Screenshot_20210216_040220.png -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1915307 Title: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main) Status in sudo package in Ubuntu: Fix Committed Bug description: This requires a merge because there are changes in the Ubuntu version not present in the Debian version. -- Justification of patches removed from debian/patches/series -- * typo-in-classic-insults.diff * This exact patch is present in upstream version 1.9.5p2-2 * paths-in-samples.diff * This exact patch is present in upstream version 1.9.5p2-2 * Whitelist-DPKG_COLORS-environment-variable.diff * This exact patch is present in upstream version 1.9.5p2-2 * CVE-2021-23239.patch * This exact patch is NOT present in upstream version 1.9.5p2-2 * The patch is made to address a vulnerability wherein users were able to gain information about what directories existed that they should not have had access to. * Upstream version 1.9.5p2-2 addresses this vulnerability using the function sudo_edit_parent_valid in the file src/sudo_edit.c * Since the vulnerability is addressed in upstream version 1.9.5p2-2 it can safely be dropped * CVE-2021-3156-1.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-2.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-3.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-4.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-5.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * ineffective_no_root_mailer.patch * This exact patch is present in upstream version 1.9.5p2-2 under the name fix-no-root-mailer.diff Changes: * Merge from Debian unstable. (LP: #1915307) Remaining changes: - debian/rules: + use dh-autoreconf - debian/rules: stop shipping init scripts, as they are no longer necessary. - debian/rules: + compile with --without-lecture --with-tty-tickets --enable-admin-flag + install man/man8/sudo_root.8 in both flavours + install apport hooks - debian/sudo-ldap.dirs, debian/sudo.dirs: + add usr/share/apport/package-hooks - debian/sudo.pam: + Use pam_env to read /etc/environment and /etc/default/locale environment files. Reading ~/.pam_environment is not permitted due to security reasons. - debian/sudoers: + also grant admin group sudo access + include /snap/bin in the secure_path sudo (1.9.5p2-2) unstable; urgency=medium * patch from upstream repo to fix NO_ROOT_MAILER sudo (1.9.5p2-1) unstable; urgency=high * new upstream version, addresses CVE-2021-3156 sudo (1.9.5p1-1.1) unstable; urgency=high * Non-maintainer upload. * Heap-based buffer overflow (CVE-2021-3156) - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit - Add sudoedit flag checks in plugin that are consistent with front-end - Fix potential buffer overflow when unescaping backslashes in user_args - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL - Don't assume that argv is allocated as a single flat buffer sudo (1.9.5p1-1) unstable; urgency=medium * new upstream version, closes: #980028 sudo (1.9.5-1) unstable; urgency=medium * new upstream version sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER in plugins/sudoers/logging.c, plugins/sudoers/policy.c. - No CVE number sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium * SECURITY UPDATE: dir existence issue via sudoedit race - debian/patches/CVE-2021-23239.patch: fix potential directory existing info leak in sudoedit in src/sudo_edit.c. - CVE-2021-23239 * SECURITY UPDATE: heap-based buffer overflow - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to MODE_NONINTERACTIVE for sudoedit in src/parse_args.c. - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in plugin in plugins/sudoers/policy.c. - debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow when unescaping backslashes in plugins/sudoers/sudoers.c. - debian/patches/CVE-2021-3156-4.patch: fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL in
[Touch-packages] [Bug 1915307] Re: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)
@iLogin - this is likely caused by https://bugs.launchpad.net/ubuntu/+source/fakeroot/+bug/1915250 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1915307 Title: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main) Status in sudo package in Ubuntu: Fix Committed Bug description: This requires a merge because there are changes in the Ubuntu version not present in the Debian version. -- Justification of patches removed from debian/patches/series -- * typo-in-classic-insults.diff * This exact patch is present in upstream version 1.9.5p2-2 * paths-in-samples.diff * This exact patch is present in upstream version 1.9.5p2-2 * Whitelist-DPKG_COLORS-environment-variable.diff * This exact patch is present in upstream version 1.9.5p2-2 * CVE-2021-23239.patch * This exact patch is NOT present in upstream version 1.9.5p2-2 * The patch is made to address a vulnerability wherein users were able to gain information about what directories existed that they should not have had access to. * Upstream version 1.9.5p2-2 addresses this vulnerability using the function sudo_edit_parent_valid in the file src/sudo_edit.c * Since the vulnerability is addressed in upstream version 1.9.5p2-2 it can safely be dropped * CVE-2021-3156-1.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-2.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-3.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-4.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-5.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * ineffective_no_root_mailer.patch * This exact patch is present in upstream version 1.9.5p2-2 under the name fix-no-root-mailer.diff Changes: * Merge from Debian unstable. (LP: #1915307) Remaining changes: - debian/rules: + use dh-autoreconf - debian/rules: stop shipping init scripts, as they are no longer necessary. - debian/rules: + compile with --without-lecture --with-tty-tickets --enable-admin-flag + install man/man8/sudo_root.8 in both flavours + install apport hooks - debian/sudo-ldap.dirs, debian/sudo.dirs: + add usr/share/apport/package-hooks - debian/sudo.pam: + Use pam_env to read /etc/environment and /etc/default/locale environment files. Reading ~/.pam_environment is not permitted due to security reasons. - debian/sudoers: + also grant admin group sudo access + include /snap/bin in the secure_path sudo (1.9.5p2-2) unstable; urgency=medium * patch from upstream repo to fix NO_ROOT_MAILER sudo (1.9.5p2-1) unstable; urgency=high * new upstream version, addresses CVE-2021-3156 sudo (1.9.5p1-1.1) unstable; urgency=high * Non-maintainer upload. * Heap-based buffer overflow (CVE-2021-3156) - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit - Add sudoedit flag checks in plugin that are consistent with front-end - Fix potential buffer overflow when unescaping backslashes in user_args - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL - Don't assume that argv is allocated as a single flat buffer sudo (1.9.5p1-1) unstable; urgency=medium * new upstream version, closes: #980028 sudo (1.9.5-1) unstable; urgency=medium * new upstream version sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER in plugins/sudoers/logging.c, plugins/sudoers/policy.c. - No CVE number sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium * SECURITY UPDATE: dir existence issue via sudoedit race - debian/patches/CVE-2021-23239.patch: fix potential directory existing info leak in sudoedit in src/sudo_edit.c. - CVE-2021-23239 * SECURITY UPDATE: heap-based buffer overflow - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to MODE_NONINTERACTIVE for sudoedit in src/parse_args.c. - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in plugin in plugins/sudoers/policy.c. - debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow when unescaping backslashes in plugins/sudoers/sudoers.c. - debian/patches/CVE-2021-3156-4.patch: fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL in plugins/sudoers/timestamp.c. - debian/patches/CVE-2021-3156-5.patch: don't
[Touch-packages] [Bug 1915307] Re: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)
sudo 1.9.5p2-2ubuntu1 sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set ... -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1915307 Title: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main) Status in sudo package in Ubuntu: Fix Committed Bug description: This requires a merge because there are changes in the Ubuntu version not present in the Debian version. -- Justification of patches removed from debian/patches/series -- * typo-in-classic-insults.diff * This exact patch is present in upstream version 1.9.5p2-2 * paths-in-samples.diff * This exact patch is present in upstream version 1.9.5p2-2 * Whitelist-DPKG_COLORS-environment-variable.diff * This exact patch is present in upstream version 1.9.5p2-2 * CVE-2021-23239.patch * This exact patch is NOT present in upstream version 1.9.5p2-2 * The patch is made to address a vulnerability wherein users were able to gain information about what directories existed that they should not have had access to. * Upstream version 1.9.5p2-2 addresses this vulnerability using the function sudo_edit_parent_valid in the file src/sudo_edit.c * Since the vulnerability is addressed in upstream version 1.9.5p2-2 it can safely be dropped * CVE-2021-3156-1.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-2.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-3.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-4.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-5.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * ineffective_no_root_mailer.patch * This exact patch is present in upstream version 1.9.5p2-2 under the name fix-no-root-mailer.diff Changes: * Merge from Debian unstable. (LP: #1915307) Remaining changes: - debian/rules: + use dh-autoreconf - debian/rules: stop shipping init scripts, as they are no longer necessary. - debian/rules: + compile with --without-lecture --with-tty-tickets --enable-admin-flag + install man/man8/sudo_root.8 in both flavours + install apport hooks - debian/sudo-ldap.dirs, debian/sudo.dirs: + add usr/share/apport/package-hooks - debian/sudo.pam: + Use pam_env to read /etc/environment and /etc/default/locale environment files. Reading ~/.pam_environment is not permitted due to security reasons. - debian/sudoers: + also grant admin group sudo access + include /snap/bin in the secure_path sudo (1.9.5p2-2) unstable; urgency=medium * patch from upstream repo to fix NO_ROOT_MAILER sudo (1.9.5p2-1) unstable; urgency=high * new upstream version, addresses CVE-2021-3156 sudo (1.9.5p1-1.1) unstable; urgency=high * Non-maintainer upload. * Heap-based buffer overflow (CVE-2021-3156) - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit - Add sudoedit flag checks in plugin that are consistent with front-end - Fix potential buffer overflow when unescaping backslashes in user_args - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL - Don't assume that argv is allocated as a single flat buffer sudo (1.9.5p1-1) unstable; urgency=medium * new upstream version, closes: #980028 sudo (1.9.5-1) unstable; urgency=medium * new upstream version sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER in plugins/sudoers/logging.c, plugins/sudoers/policy.c. - No CVE number sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium * SECURITY UPDATE: dir existence issue via sudoedit race - debian/patches/CVE-2021-23239.patch: fix potential directory existing info leak in sudoedit in src/sudo_edit.c. - CVE-2021-23239 * SECURITY UPDATE: heap-based buffer overflow - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to MODE_NONINTERACTIVE for sudoedit in src/parse_args.c. - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in plugin in plugins/sudoers/policy.c. - debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow when unescaping backslashes in plugins/sudoers/sudoers.c. - debian/patches/CVE-2021-3156-4.patch: fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL in plugins/sudoers/timestamp.c. - debian/patches/CVE-2021-3156-5.patch: don't
[Touch-packages] [Bug 1915307] Re: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)
Debdiff in comment #5 looks good. There was a missing double space between your email and the date in debian/changelog that was causing a lintian error. I fixed the missing space and uploaded it to hirsute. Thanks! ** Changed in: sudo (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1915307 Title: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main) Status in sudo package in Ubuntu: Fix Committed Bug description: This requires a merge because there are changes in the Ubuntu version not present in the Debian version. -- Justification of patches removed from debian/patches/series -- * typo-in-classic-insults.diff * This exact patch is present in upstream version 1.9.5p2-2 * paths-in-samples.diff * This exact patch is present in upstream version 1.9.5p2-2 * Whitelist-DPKG_COLORS-environment-variable.diff * This exact patch is present in upstream version 1.9.5p2-2 * CVE-2021-23239.patch * This exact patch is NOT present in upstream version 1.9.5p2-2 * The patch is made to address a vulnerability wherein users were able to gain information about what directories existed that they should not have had access to. * Upstream version 1.9.5p2-2 addresses this vulnerability using the function sudo_edit_parent_valid in the file src/sudo_edit.c * Since the vulnerability is addressed in upstream version 1.9.5p2-2 it can safely be dropped * CVE-2021-3156-1.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-2.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-3.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-4.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-5.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * ineffective_no_root_mailer.patch * This exact patch is present in upstream version 1.9.5p2-2 under the name fix-no-root-mailer.diff Changes: * Merge from Debian unstable. (LP: #1915307) Remaining changes: - debian/rules: + use dh-autoreconf - debian/rules: stop shipping init scripts, as they are no longer necessary. - debian/rules: + compile with --without-lecture --with-tty-tickets --enable-admin-flag + install man/man8/sudo_root.8 in both flavours + install apport hooks - debian/sudo-ldap.dirs, debian/sudo.dirs: + add usr/share/apport/package-hooks - debian/sudo.pam: + Use pam_env to read /etc/environment and /etc/default/locale environment files. Reading ~/.pam_environment is not permitted due to security reasons. - debian/sudoers: + also grant admin group sudo access + include /snap/bin in the secure_path sudo (1.9.5p2-2) unstable; urgency=medium * patch from upstream repo to fix NO_ROOT_MAILER sudo (1.9.5p2-1) unstable; urgency=high * new upstream version, addresses CVE-2021-3156 sudo (1.9.5p1-1.1) unstable; urgency=high * Non-maintainer upload. * Heap-based buffer overflow (CVE-2021-3156) - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit - Add sudoedit flag checks in plugin that are consistent with front-end - Fix potential buffer overflow when unescaping backslashes in user_args - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL - Don't assume that argv is allocated as a single flat buffer sudo (1.9.5p1-1) unstable; urgency=medium * new upstream version, closes: #980028 sudo (1.9.5-1) unstable; urgency=medium * new upstream version sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER in plugins/sudoers/logging.c, plugins/sudoers/policy.c. - No CVE number sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium * SECURITY UPDATE: dir existence issue via sudoedit race - debian/patches/CVE-2021-23239.patch: fix potential directory existing info leak in sudoedit in src/sudo_edit.c. - CVE-2021-23239 * SECURITY UPDATE: heap-based buffer overflow - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to MODE_NONINTERACTIVE for sudoedit in src/parse_args.c. - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in plugin in plugins/sudoers/policy.c. - debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow when unescaping backslashes in plugins/sudoers/sudoers.c. -
[Touch-packages] [Bug 1915307] Re: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)
Thanks, this looks good to me but out of an abundance of caution (this is sudo, after all), I'm going to get Marc from the security team to take a look -- it seems the upstream fixes for the CVE are a bit different from the ones currently in Ubuntu and I'd like him to verify that we think upstream got this right :-) ** Changed in: sudo (Ubuntu) Assignee: William Wilson (jawn-smith) => Marc Deslauriers (mdeslaur) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1915307 Title: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main) Status in sudo package in Ubuntu: In Progress Bug description: This requires a merge because there are changes in the Ubuntu version not present in the Debian version. -- Justification of patches removed from debian/patches/series -- * typo-in-classic-insults.diff * This exact patch is present in upstream version 1.9.5p2-2 * paths-in-samples.diff * This exact patch is present in upstream version 1.9.5p2-2 * Whitelist-DPKG_COLORS-environment-variable.diff * This exact patch is present in upstream version 1.9.5p2-2 * CVE-2021-23239.patch * This exact patch is NOT present in upstream version 1.9.5p2-2 * The patch is made to address a vulnerability wherein users were able to gain information about what directories existed that they should not have had access to. * Upstream version 1.9.5p2-2 addresses this vulnerability using the function sudo_edit_parent_valid in the file src/sudo_edit.c * Since the vulnerability is addressed in upstream version 1.9.5p2-2 it can safely be dropped * CVE-2021-3156-1.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-2.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-3.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-4.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-5.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * ineffective_no_root_mailer.patch * This exact patch is present in upstream version 1.9.5p2-2 under the name fix-no-root-mailer.diff Changes: * Merge from Debian unstable. (LP: #1915307) Remaining changes: - debian/rules: + use dh-autoreconf - debian/rules: stop shipping init scripts, as they are no longer necessary. - debian/rules: + compile with --without-lecture --with-tty-tickets --enable-admin-flag + install man/man8/sudo_root.8 in both flavours + install apport hooks - debian/sudo-ldap.dirs, debian/sudo.dirs: + add usr/share/apport/package-hooks - debian/sudo.pam: + Use pam_env to read /etc/environment and /etc/default/locale environment files. Reading ~/.pam_environment is not permitted due to security reasons. - debian/sudoers: + also grant admin group sudo access + include /snap/bin in the secure_path sudo (1.9.5p2-2) unstable; urgency=medium * patch from upstream repo to fix NO_ROOT_MAILER sudo (1.9.5p2-1) unstable; urgency=high * new upstream version, addresses CVE-2021-3156 sudo (1.9.5p1-1.1) unstable; urgency=high * Non-maintainer upload. * Heap-based buffer overflow (CVE-2021-3156) - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit - Add sudoedit flag checks in plugin that are consistent with front-end - Fix potential buffer overflow when unescaping backslashes in user_args - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL - Don't assume that argv is allocated as a single flat buffer sudo (1.9.5p1-1) unstable; urgency=medium * new upstream version, closes: #980028 sudo (1.9.5-1) unstable; urgency=medium * new upstream version sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER in plugins/sudoers/logging.c, plugins/sudoers/policy.c. - No CVE number sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium * SECURITY UPDATE: dir existence issue via sudoedit race - debian/patches/CVE-2021-23239.patch: fix potential directory existing info leak in sudoedit in src/sudo_edit.c. - CVE-2021-23239 * SECURITY UPDATE: heap-based buffer overflow - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to MODE_NONINTERACTIVE for sudoedit in src/parse_args.c. - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in plugin in plugins/sudoers/policy.c. -
[Touch-packages] [Bug 1915307] Re: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)
** Changed in: sudo (Ubuntu) Importance: Undecided => Wishlist -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1915307 Title: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main) Status in sudo package in Ubuntu: In Progress Bug description: This requires a merge because there are changes in the Ubuntu version not present in the Debian version. -- Justification of patches removed from debian/patches/series -- * typo-in-classic-insults.diff * This exact patch is present in upstream version 1.9.5p2-2 * paths-in-samples.diff * This exact patch is present in upstream version 1.9.5p2-2 * Whitelist-DPKG_COLORS-environment-variable.diff * This exact patch is present in upstream version 1.9.5p2-2 * CVE-2021-23239.patch * This exact patch is NOT present in upstream version 1.9.5p2-2 * The patch is made to address a vulnerability wherein users were able to gain information about what directories existed that they should not have had access to. * Upstream version 1.9.5p2-2 addresses this vulnerability using the function sudo_edit_parent_valid in the file src/sudo_edit.c * Since the vulnerability is addressed in upstream version 1.9.5p2-2 it can safely be dropped * CVE-2021-3156-1.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-2.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-3.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-4.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-5.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * ineffective_no_root_mailer.patch * This exact patch is present in upstream version 1.9.5p2-2 under the name fix-no-root-mailer.diff Changes: * Merge from Debian unstable. (LP: #1915307) Remaining changes: - debian/rules: + use dh-autoreconf - debian/rules: stop shipping init scripts, as they are no longer necessary. - debian/rules: + compile with --without-lecture --with-tty-tickets --enable-admin-flag + install man/man8/sudo_root.8 in both flavours + install apport hooks - debian/sudo-ldap.dirs, debian/sudo.dirs: + add usr/share/apport/package-hooks - debian/sudo.pam: + Use pam_env to read /etc/environment and /etc/default/locale environment files. Reading ~/.pam_environment is not permitted due to security reasons. - debian/sudoers: + also grant admin group sudo access + include /snap/bin in the secure_path sudo (1.9.5p2-2) unstable; urgency=medium * patch from upstream repo to fix NO_ROOT_MAILER sudo (1.9.5p2-1) unstable; urgency=high * new upstream version, addresses CVE-2021-3156 sudo (1.9.5p1-1.1) unstable; urgency=high * Non-maintainer upload. * Heap-based buffer overflow (CVE-2021-3156) - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit - Add sudoedit flag checks in plugin that are consistent with front-end - Fix potential buffer overflow when unescaping backslashes in user_args - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL - Don't assume that argv is allocated as a single flat buffer sudo (1.9.5p1-1) unstable; urgency=medium * new upstream version, closes: #980028 sudo (1.9.5-1) unstable; urgency=medium * new upstream version sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER in plugins/sudoers/logging.c, plugins/sudoers/policy.c. - No CVE number sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium * SECURITY UPDATE: dir existence issue via sudoedit race - debian/patches/CVE-2021-23239.patch: fix potential directory existing info leak in sudoedit in src/sudo_edit.c. - CVE-2021-23239 * SECURITY UPDATE: heap-based buffer overflow - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to MODE_NONINTERACTIVE for sudoedit in src/parse_args.c. - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in plugin in plugins/sudoers/policy.c. - debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow when unescaping backslashes in plugins/sudoers/sudoers.c. - debian/patches/CVE-2021-3156-4.patch: fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL in plugins/sudoers/timestamp.c. - debian/patches/CVE-2021-3156-5.patch: don't assume that argv is
[Touch-packages] [Bug 1915307] Re: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)
This new diff from debian drops the whitespace changes and adds the dropped CVE patches to the changelog ** Patch added: "Diff from Debian take two" https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1915307/+attachment/5463220/+files/debian-ubuntu.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1915307 Title: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main) Status in sudo package in Ubuntu: In Progress Bug description: This requires a merge because there are changes in the Ubuntu version not present in the Debian version. -- Justification of patches removed from debian/patches/series -- * typo-in-classic-insults.diff * This exact patch is present in upstream version 1.9.5p2-2 * paths-in-samples.diff * This exact patch is present in upstream version 1.9.5p2-2 * Whitelist-DPKG_COLORS-environment-variable.diff * This exact patch is present in upstream version 1.9.5p2-2 * CVE-2021-23239.patch * This exact patch is NOT present in upstream version 1.9.5p2-2 * The patch is made to address a vulnerability wherein users were able to gain information about what directories existed that they should not have had access to. * Upstream version 1.9.5p2-2 addresses this vulnerability using the function sudo_edit_parent_valid in the file src/sudo_edit.c * Since the vulnerability is addressed in upstream version 1.9.5p2-2 it can safely be dropped * CVE-2021-3156-1.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-2.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-3.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-4.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-5.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * ineffective_no_root_mailer.patch * This exact patch is present in upstream version 1.9.5p2-2 under the name fix-no-root-mailer.diff Changes: * Merge from Debian unstable. (LP: #1915307) Remaining changes: - debian/rules: + use dh-autoreconf - debian/rules: stop shipping init scripts, as they are no longer necessary. - debian/rules: + compile with --without-lecture --with-tty-tickets --enable-admin-flag + install man/man8/sudo_root.8 in both flavours + install apport hooks - debian/sudo-ldap.dirs, debian/sudo.dirs: + add usr/share/apport/package-hooks - debian/sudo.pam: + Use pam_env to read /etc/environment and /etc/default/locale environment files. Reading ~/.pam_environment is not permitted due to security reasons. - debian/sudoers: + also grant admin group sudo access + include /snap/bin in the secure_path sudo (1.9.5p2-2) unstable; urgency=medium * patch from upstream repo to fix NO_ROOT_MAILER sudo (1.9.5p2-1) unstable; urgency=high * new upstream version, addresses CVE-2021-3156 sudo (1.9.5p1-1.1) unstable; urgency=high * Non-maintainer upload. * Heap-based buffer overflow (CVE-2021-3156) - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit - Add sudoedit flag checks in plugin that are consistent with front-end - Fix potential buffer overflow when unescaping backslashes in user_args - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL - Don't assume that argv is allocated as a single flat buffer sudo (1.9.5p1-1) unstable; urgency=medium * new upstream version, closes: #980028 sudo (1.9.5-1) unstable; urgency=medium * new upstream version sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER in plugins/sudoers/logging.c, plugins/sudoers/policy.c. - No CVE number sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium * SECURITY UPDATE: dir existence issue via sudoedit race - debian/patches/CVE-2021-23239.patch: fix potential directory existing info leak in sudoedit in src/sudo_edit.c. - CVE-2021-23239 * SECURITY UPDATE: heap-based buffer overflow - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to MODE_NONINTERACTIVE for sudoedit in src/parse_args.c. - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in plugin in plugins/sudoers/policy.c. - debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow when unescaping backslashes in plugins/sudoers/sudoers.c. - debian/patches/CVE-2021-3156-4.patch: fix the
[Touch-packages] [Bug 1915307] Re: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)
Hi, this looks mostly very good! I have some tiny nitpicks: 1) It's good to mention the patches that are being dropped in the changelog entry. 2) There are some whitespace changes in the bottom of the changelog that you could drop if you felt like it. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1915307 Title: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main) Status in sudo package in Ubuntu: In Progress Bug description: This requires a merge because there are changes in the Ubuntu version not present in the Debian version. -- Justification of patches removed from debian/patches/series -- * typo-in-classic-insults.diff * This exact patch is present in upstream version 1.9.5p2-2 * paths-in-samples.diff * This exact patch is present in upstream version 1.9.5p2-2 * Whitelist-DPKG_COLORS-environment-variable.diff * This exact patch is present in upstream version 1.9.5p2-2 * CVE-2021-23239.patch * This exact patch is NOT present in upstream version 1.9.5p2-2 * The patch is made to address a vulnerability wherein users were able to gain information about what directories existed that they should not have had access to. * Upstream version 1.9.5p2-2 addresses this vulnerability using the function sudo_edit_parent_valid in the file src/sudo_edit.c * Since the vulnerability is addressed in upstream version 1.9.5p2-2 it can safely be dropped * CVE-2021-3156-1.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-2.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-3.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-4.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-5.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * ineffective_no_root_mailer.patch * This exact patch is present in upstream version 1.9.5p2-2 under the name fix-no-root-mailer.diff Changes: * Merge from Debian unstable. (LP: #1915307) Remaining changes: - debian/rules: + use dh-autoreconf - debian/rules: stop shipping init scripts, as they are no longer necessary. - debian/rules: + compile with --without-lecture --with-tty-tickets --enable-admin-flag + install man/man8/sudo_root.8 in both flavours + install apport hooks - debian/sudo-ldap.dirs, debian/sudo.dirs: + add usr/share/apport/package-hooks - debian/sudo.pam: + Use pam_env to read /etc/environment and /etc/default/locale environment files. Reading ~/.pam_environment is not permitted due to security reasons. - debian/sudoers: + also grant admin group sudo access + include /snap/bin in the secure_path sudo (1.9.5p2-2) unstable; urgency=medium * patch from upstream repo to fix NO_ROOT_MAILER sudo (1.9.5p2-1) unstable; urgency=high * new upstream version, addresses CVE-2021-3156 sudo (1.9.5p1-1.1) unstable; urgency=high * Non-maintainer upload. * Heap-based buffer overflow (CVE-2021-3156) - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit - Add sudoedit flag checks in plugin that are consistent with front-end - Fix potential buffer overflow when unescaping backslashes in user_args - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL - Don't assume that argv is allocated as a single flat buffer sudo (1.9.5p1-1) unstable; urgency=medium * new upstream version, closes: #980028 sudo (1.9.5-1) unstable; urgency=medium * new upstream version sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER in plugins/sudoers/logging.c, plugins/sudoers/policy.c. - No CVE number sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium * SECURITY UPDATE: dir existence issue via sudoedit race - debian/patches/CVE-2021-23239.patch: fix potential directory existing info leak in sudoedit in src/sudo_edit.c. - CVE-2021-23239 * SECURITY UPDATE: heap-based buffer overflow - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to MODE_NONINTERACTIVE for sudoedit in src/parse_args.c. - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in plugin in plugins/sudoers/policy.c. - debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow when unescaping backslashes in plugins/sudoers/sudoers.c. - debian/patches/CVE-2021-3156-4.patch: fix the memset
[Touch-packages] [Bug 1915307] Re: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)
The attachment "Diff from Debian" seems to be a debdiff. The ubuntu- sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1915307 Title: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main) Status in sudo package in Ubuntu: In Progress Bug description: This requires a merge because there are changes in the Ubuntu version not present in the Debian version. -- Justification of patches removed from debian/patches/series -- * typo-in-classic-insults.diff * This exact patch is present in upstream version 1.9.5p2-2 * paths-in-samples.diff * This exact patch is present in upstream version 1.9.5p2-2 * Whitelist-DPKG_COLORS-environment-variable.diff * This exact patch is present in upstream version 1.9.5p2-2 * CVE-2021-23239.patch * This exact patch is NOT present in upstream version 1.9.5p2-2 * The patch is made to address a vulnerability wherein users were able to gain information about what directories existed that they should not have had access to. * Upstream version 1.9.5p2-2 addresses this vulnerability using the function sudo_edit_parent_valid in the file src/sudo_edit.c * Since the vulnerability is addressed in upstream version 1.9.5p2-2 it can safely be dropped * CVE-2021-3156-1.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-2.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-3.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-4.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-5.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * ineffective_no_root_mailer.patch * This exact patch is present in upstream version 1.9.5p2-2 under the name fix-no-root-mailer.diff Changes: * Merge from Debian unstable. (LP: #1915307) Remaining changes: - debian/rules: + use dh-autoreconf - debian/rules: stop shipping init scripts, as they are no longer necessary. - debian/rules: + compile with --without-lecture --with-tty-tickets --enable-admin-flag + install man/man8/sudo_root.8 in both flavours + install apport hooks - debian/sudo-ldap.dirs, debian/sudo.dirs: + add usr/share/apport/package-hooks - debian/sudo.pam: + Use pam_env to read /etc/environment and /etc/default/locale environment files. Reading ~/.pam_environment is not permitted due to security reasons. - debian/sudoers: + also grant admin group sudo access + include /snap/bin in the secure_path sudo (1.9.5p2-2) unstable; urgency=medium * patch from upstream repo to fix NO_ROOT_MAILER sudo (1.9.5p2-1) unstable; urgency=high * new upstream version, addresses CVE-2021-3156 sudo (1.9.5p1-1.1) unstable; urgency=high * Non-maintainer upload. * Heap-based buffer overflow (CVE-2021-3156) - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit - Add sudoedit flag checks in plugin that are consistent with front-end - Fix potential buffer overflow when unescaping backslashes in user_args - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL - Don't assume that argv is allocated as a single flat buffer sudo (1.9.5p1-1) unstable; urgency=medium * new upstream version, closes: #980028 sudo (1.9.5-1) unstable; urgency=medium * new upstream version sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER in plugins/sudoers/logging.c, plugins/sudoers/policy.c. - No CVE number sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium * SECURITY UPDATE: dir existence issue via sudoedit race - debian/patches/CVE-2021-23239.patch: fix potential directory existing info leak in sudoedit in src/sudo_edit.c. - CVE-2021-23239 * SECURITY UPDATE: heap-based buffer overflow - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to MODE_NONINTERACTIVE for sudoedit in src/parse_args.c. - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in
[Touch-packages] [Bug 1915307] Re: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)
** Patch added: "Diff from latest Ubuntu version" https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1915307/+attachment/5462731/+files/ubuntu-ubuntu.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1915307 Title: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main) Status in sudo package in Ubuntu: In Progress Bug description: This requires a merge because there are changes in the Ubuntu version not present in the Debian version. -- Justification of patches removed from debian/patches/series -- * typo-in-classic-insults.diff * This exact patch is present in upstream version 1.9.5p2-2 * paths-in-samples.diff * This exact patch is present in upstream version 1.9.5p2-2 * Whitelist-DPKG_COLORS-environment-variable.diff * This exact patch is present in upstream version 1.9.5p2-2 * CVE-2021-23239.patch * This exact patch is NOT present in upstream version 1.9.5p2-2 * The patch is made to address a vulnerability wherein users were able to gain information about what directories existed that they should not have had access to. * Upstream version 1.9.5p2-2 addresses this vulnerability using the function sudo_edit_parent_valid in the file src/sudo_edit.c * Since the vulnerability is addressed in upstream version 1.9.5p2-2 it can safely be dropped * CVE-2021-3156-1.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-2.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-3.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-4.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-5.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * ineffective_no_root_mailer.patch * This exact patch is present in upstream version 1.9.5p2-2 under the name fix-no-root-mailer.diff Changes: * Merge from Debian unstable. (LP: #1915307) Remaining changes: - debian/rules: + use dh-autoreconf - debian/rules: stop shipping init scripts, as they are no longer necessary. - debian/rules: + compile with --without-lecture --with-tty-tickets --enable-admin-flag + install man/man8/sudo_root.8 in both flavours + install apport hooks - debian/sudo-ldap.dirs, debian/sudo.dirs: + add usr/share/apport/package-hooks - debian/sudo.pam: + Use pam_env to read /etc/environment and /etc/default/locale environment files. Reading ~/.pam_environment is not permitted due to security reasons. - debian/sudoers: + also grant admin group sudo access + include /snap/bin in the secure_path sudo (1.9.5p2-2) unstable; urgency=medium * patch from upstream repo to fix NO_ROOT_MAILER sudo (1.9.5p2-1) unstable; urgency=high * new upstream version, addresses CVE-2021-3156 sudo (1.9.5p1-1.1) unstable; urgency=high * Non-maintainer upload. * Heap-based buffer overflow (CVE-2021-3156) - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit - Add sudoedit flag checks in plugin that are consistent with front-end - Fix potential buffer overflow when unescaping backslashes in user_args - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL - Don't assume that argv is allocated as a single flat buffer sudo (1.9.5p1-1) unstable; urgency=medium * new upstream version, closes: #980028 sudo (1.9.5-1) unstable; urgency=medium * new upstream version sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER in plugins/sudoers/logging.c, plugins/sudoers/policy.c. - No CVE number sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium * SECURITY UPDATE: dir existence issue via sudoedit race - debian/patches/CVE-2021-23239.patch: fix potential directory existing info leak in sudoedit in src/sudo_edit.c. - CVE-2021-23239 * SECURITY UPDATE: heap-based buffer overflow - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to MODE_NONINTERACTIVE for sudoedit in src/parse_args.c. - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in plugin in plugins/sudoers/policy.c. - debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow when unescaping backslashes in plugins/sudoers/sudoers.c. - debian/patches/CVE-2021-3156-4.patch: fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL in
[Touch-packages] [Bug 1915307] Re: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)
** Patch added: "Diff from Debian" https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1915307/+attachment/5462721/+files/debian-ubuntu.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1915307 Title: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main) Status in sudo package in Ubuntu: In Progress Bug description: This requires a merge because there are changes in the Ubuntu version not present in the Debian version. -- Justification of patches removed from debian/patches/series -- * typo-in-classic-insults.diff * This exact patch is present in upstream version 1.9.5p2-2 * paths-in-samples.diff * This exact patch is present in upstream version 1.9.5p2-2 * Whitelist-DPKG_COLORS-environment-variable.diff * This exact patch is present in upstream version 1.9.5p2-2 * CVE-2021-23239.patch * This exact patch is NOT present in upstream version 1.9.5p2-2 * The patch is made to address a vulnerability wherein users were able to gain information about what directories existed that they should not have had access to. * Upstream version 1.9.5p2-2 addresses this vulnerability using the function sudo_edit_parent_valid in the file src/sudo_edit.c * Since the vulnerability is addressed in upstream version 1.9.5p2-2 it can safely be dropped * CVE-2021-3156-1.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-2.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-3.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-4.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-5.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * ineffective_no_root_mailer.patch * This exact patch is present in upstream version 1.9.5p2-2 under the name fix-no-root-mailer.diff Changes: * Merge from Debian unstable. (LP: #1915307) Remaining changes: - debian/rules: + use dh-autoreconf - debian/rules: stop shipping init scripts, as they are no longer necessary. - debian/rules: + compile with --without-lecture --with-tty-tickets --enable-admin-flag + install man/man8/sudo_root.8 in both flavours + install apport hooks - debian/sudo-ldap.dirs, debian/sudo.dirs: + add usr/share/apport/package-hooks - debian/sudo.pam: + Use pam_env to read /etc/environment and /etc/default/locale environment files. Reading ~/.pam_environment is not permitted due to security reasons. - debian/sudoers: + also grant admin group sudo access + include /snap/bin in the secure_path sudo (1.9.5p2-2) unstable; urgency=medium * patch from upstream repo to fix NO_ROOT_MAILER sudo (1.9.5p2-1) unstable; urgency=high * new upstream version, addresses CVE-2021-3156 sudo (1.9.5p1-1.1) unstable; urgency=high * Non-maintainer upload. * Heap-based buffer overflow (CVE-2021-3156) - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit - Add sudoedit flag checks in plugin that are consistent with front-end - Fix potential buffer overflow when unescaping backslashes in user_args - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL - Don't assume that argv is allocated as a single flat buffer sudo (1.9.5p1-1) unstable; urgency=medium * new upstream version, closes: #980028 sudo (1.9.5-1) unstable; urgency=medium * new upstream version sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER in plugins/sudoers/logging.c, plugins/sudoers/policy.c. - No CVE number sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium * SECURITY UPDATE: dir existence issue via sudoedit race - debian/patches/CVE-2021-23239.patch: fix potential directory existing info leak in sudoedit in src/sudo_edit.c. - CVE-2021-23239 * SECURITY UPDATE: heap-based buffer overflow - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to MODE_NONINTERACTIVE for sudoedit in src/parse_args.c. - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in plugin in plugins/sudoers/policy.c. - debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow when unescaping backslashes in plugins/sudoers/sudoers.c. - debian/patches/CVE-2021-3156-4.patch: fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL in plugins/sudoers/timestamp.c.
[Touch-packages] [Bug 1915307] Re: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)
** Description changed: This requires a merge because there are changes in the Ubuntu version not present in the Debian version. + + -- Justification of patches removed from debian/patches/series -- + * typo-in-classic-insults.diff + * This exact patch is present in upstream version 1.9.5p2-2 + * paths-in-samples.diff + * This exact patch is present in upstream version 1.9.5p2-2 + * Whitelist-DPKG_COLORS-environment-variable.diff + * This exact patch is present in upstream version 1.9.5p2-2 + * CVE-2021-23239.patch + * This exact patch is NOT present in upstream version 1.9.5p2-2 + * The patch is made to address a vulnerability wherein users + were able to gain information about what directories existed + that they should not have had access to. + * Upstream version 1.9.5p2-2 addresses this vulnerability using + the function sudo_edit_parent_valid in the file src/sudo_edit.c + * Since the vulnerability is addressed in upstream version + 1.9.5p2-2 it can safely be dropped + * CVE-2021-3156-1.patch + * The code from this patch already exitsts in upstream + version 1.9.5p2-2 + * CVE-2021-3156-2.patch + * The code from this patch already exitsts in upstream + version 1.9.5p2-2 + * CVE-2021-3156-3.patch + * The code from this patch already exitsts in upstream + version 1.9.5p2-2 + * CVE-2021-3156-4.patch + * The code from this patch already exitsts in upstream + version 1.9.5p2-2 + * CVE-2021-3156-5.patch + * The code from this patch already exitsts in upstream + version 1.9.5p2-2 + * ineffective_no_root_mailer.patch + * This exact patch is present in upstream version 1.9.5p2-2 + under the name fix-no-root-mailer.diff + + Changes: + * Merge from Debian unstable. (LP: #1915307) + Remaining changes: + - debian/rules: + + use dh-autoreconf + - debian/rules: stop shipping init scripts, as they are no longer + necessary. + - debian/rules: + + compile with --without-lecture --with-tty-tickets --enable-admin-flag + + install man/man8/sudo_root.8 in both flavours + + install apport hooks + - debian/sudo-ldap.dirs, debian/sudo.dirs: + + add usr/share/apport/package-hooks + - debian/sudo.pam: + + Use pam_env to read /etc/environment and /etc/default/locale + environment files. Reading ~/.pam_environment is not permitted due + to security reasons. + - debian/sudoers: + + also grant admin group sudo access + + include /snap/bin in the secure_path + + sudo (1.9.5p2-2) unstable; urgency=medium + + * patch from upstream repo to fix NO_ROOT_MAILER + + sudo (1.9.5p2-1) unstable; urgency=high + + * new upstream version, addresses CVE-2021-3156 + + sudo (1.9.5p1-1.1) unstable; urgency=high + + * Non-maintainer upload. + * Heap-based buffer overflow (CVE-2021-3156) + - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit + - Add sudoedit flag checks in plugin that are consistent with front-end + - Fix potential buffer overflow when unescaping backslashes in user_args + - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL + - Don't assume that argv is allocated as a single flat buffer + + sudo (1.9.5p1-1) unstable; urgency=medium + + * new upstream version, closes: #980028 + + sudo (1.9.5-1) unstable; urgency=medium + + * new upstream version + + sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium + + * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option + - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER + in plugins/sudoers/logging.c, plugins/sudoers/policy.c. + - No CVE number + + sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium + + * SECURITY UPDATE: dir existence issue via sudoedit race + - debian/patches/CVE-2021-23239.patch: fix potential directory existing + info leak in sudoedit in src/sudo_edit.c. + - CVE-2021-23239 + * SECURITY UPDATE: heap-based buffer overflow + - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to + MODE_NONINTERACTIVE for sudoedit in src/parse_args.c. + - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in + plugin in plugins/sudoers/policy.c. + - debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow + when unescaping backslashes in plugins/sudoers/sudoers.c. + - debian/patches/CVE-2021-3156-4.patch: fix the memset offset when + converting a v1 timestamp to TS_LOCKEXCL in + plugins/sudoers/timestamp.c. + - debian/patches/CVE-2021-3156-5.patch: don't assume that argv is + allocated as a single flat buffer in src/parse_args.c. + - CVE-2021-3156 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1915307 Title: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main) Status
