Bug 40364 – sudo: multiple issues (4.1)

Bug 40364 - sudo: multiple issues (4.1)


Summary:	sudo: multiple issues (4.1)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.1-1-errata
Assigned To:	Arvid Requate
QA Contact:	Daniel Tröder

URL:
Keywords:

Depends on:
Blocks:	40365 40366
	Show dependency tree / graph

Reported:	2016-01-05 11:44 CET by Arvid Requate
Modified:	2016-10-05 12:46 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2016-01-05 11:44:41 CET

CVE-2015-5602: sudoedit in Sudo before 1.8.15 allows local users to gain privileges via a symlink attack on a file whose full path is defined using multiple wildcards in /etc/sudoers, as demonstrated by "/home/*/*/file.txt."

Comment 1 Arvid Requate

2016-01-11 20:11:31 CET

Upstream Debian package version 1.8.5p2-1+nmu3+deb7u1 fixes this issue.

Comment 2 Arvid Requate

2016-02-29 20:15:03 CET

The patches have been extracted from the Debian package update and the package has been rebuilt with them in errata4.1-1.

Advisory: sudo.yaml

Comment 3 Daniel Tröder

2016-03-02 13:15:27 CET

OK: advisory
OK: manual test of exploit:

root@Test35:~# dpkg -l sudo
ii  sudo                        1.8.5p2-1+nmu2.39.


root@Test35:~# visudo
>> test01 ALL=(root) NOPASSWD: sudoedit /home/*/*/test.txt

root@Test35:~# su - test01
test01@Test35:~$ mkdir testdir
test01@Test35:~$ ln -s /etc/shadow testdir/test.txt
test01@Test35:~$ sudoedit /home/test01/testdir/test.txt
[can edit shadow file]
sudoedit: /home/test01/testdir/test.txt unchanged

root@Test35:~# DEBIAN_FRONTEND=noninteractive apt-get install sudo
sudo (1.8.5p2-1+nmu2.42.201602292006) wird eingerichtet ...

test01@Test35:~$ sudoedit /home/test01/testdir/test.txt
sudoedit: /home/test01/testdir/test.txt: editing files in a writable directory is not permitted

Comment 4 Janek Walkenhorst

2016-03-08 17:05:42 CET

<http://errata.software-univention.de/ucs/4.1/125.html>