Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: M0rpheus <m0rpheus@×××××××××××××.nu>
To: gentoo-user@g.o, gentoo-dev@g.o
Subject: [gentoo-dev] [SECURITY] [GENTOO] New sudo version to fix local root vulnerability
Date: Thu, 17 Jan 2002 05:12:40
Message-Id: 3C46C085.1030406@poseidon.mine.nu
1 - --------------------------------------------------------------------------
2 GENTOO LINUX SECURITY ANNOUNCEMENT
3 - --------------------------------------------------------------------------
4
5 PACKAGE :sudo
6 SUMMARY :Local vulnerability allows an attacker to obtain root privileges
7 DATE :2002-01-17 11:58:00
8
9 - --------------------------------------------------------------------------
10
11 OVERVIEW
12
13 There is a vulnerability in sudo which can allow an attacker to trick
14 sudo into running the system MTA with root privileges and an unclean
15 environment, possibly leading to a root compromise.
16
17
18 DETAIL
19
20 Sebastian Krahmer of the SuSE Security Team found a bug in sudo which
21 can allow an attacker to send a failed-invocation email with root
22 privileges and an unclean environment. Using the Postfix MTA an
23 attacker can potentially gain a root shell. No other MTA is known to be
24 exploitable at this time.
25
26 We would like to reiterate that the bug is in sudo, not Postfix which is
27 simply being used as a vehicle in this instance.
28
29 This bug is fixed by having sudo run the MTA with user privileges
30 instead of with root privileges.
31
32 SOLUTION
33
34 It is recommended that all sudo users apply the update
35
36 Portage Auto:
37
38 emerge rsync
39 emerge update
40 emerge update --world
41
42
43 Portage by hand:
44
45 emerge rsync
46 emerge app-admin/sudo
47
48 Manually:
49
50 Download the new sudo package here and follow in file instructions:
51 ftp://ftp.cs.colorado.edu/pub/sudo/sudo-1.6.5.tar.gz
52
53 - --------------------------------------------------------------------------
54 Ferry Meyndert
55
56 m0rpheus@×××××××××××××.nu
57 - --------------------------------------------------------------------------
Report Message
Find on MARC Find on Google Groups