SuSE Security Announcement: sudo (SuSE-SA:2002:002)
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: sudo
Announcement-ID: SuSE-SA:2002:002
Date: Mon Jan 14 13:00:00 CET 2002
Affected SuSE versions: 7.0, 7.1, 7.2, 7.3
Vulnerability Type: local privilege escalation
Severity (1-10): 5
SuSE default package: yes
Other affected systems: all recent sudo installations
Content of this advisory:
1) security vulnerability resolved: Sendmail invocation as root.
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
The SuSE Security Team discovered a bug in the sudo program which is
installed setuid to root. Attackers may trick "sudo" to log failed sudo
invocations executing the sendmail program with root-privileges and not
completely cleaned environment.
Depending on the installed mail-package this may enable attackers to
execute code as root. This is the case for at least the postfix mailer.
Other mailers may be exploited in a similar way.
This bug has been fixed by having "sudo" invoke the sendmail command with
user-privileges instead.
Please update your sudo package regardless of the mail-packages you are
using. As a temporary workaround you may remove the s-bit from sudo with
the "chmod -s `which sudo`" command, which will disable the sudo
functionality.
Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
i386 Intel Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/i386/update/7.3/ap1/sudo-1.6.3p7-71.i386.rpm
b98f00f761274530bfad3486253bed53
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/sudo-1.6.3p7-71.src.rpm
d046509163e1fc6d4143a8db1c2283d2
SuSE-7.2
ftp://ftp.suse.com/pub/suse/i386/update/7.2/ap1/sudo-1.6.3p6-86.i386.rpm
ee01b7b2ba2e73376eb3c358ccb5b768
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/sudo-1.6.3p6-86.src.rpm
e8cbaa81d9a806169f0c235ed6bc5d6a
SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/ap1/sudo-1.6.3p6-85.i386.rpm
7ba4ae9fb72348e0d1909c9ea79be5e0
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/sudo-1.6.3p6-85.src.rpm
a10b4ecae46aaff271f59c7dd726d8d0
SuSE-7.0
ftp://ftp.suse.com/pub/suse/i386/update/7.0/ap1/sudo-1.6.3p6-85.i386.rpm
345a8e541b66d5016b939560a525d47c
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/sudo-1.6.3p6-85.src.rpm
58afdb9b1e6c9e19440ee4047fff1105
Sparc Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/ap1/sudo-1.6.3p7-26.sparc.rpm
94139dd96c9be67d4e41d38abee95434
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/sudo-1.6.3p7-26.src.rpm
b5f16c705cdcf85754037296b8847b20
SuSE-7.1
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/ap1/sudo-1.6.3p6-32.sparc.rpm
915313678145418569c54332760f989a
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/sudo-1.6.3p6-32.src.rpm
2fd809a5f53992aa23c732d9466e274a
SuSE-7.0
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/ap1/sudo-1.6.3p6-33.sparc.rpm
0c1dce308b37b31ea943369ba23e3dab
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/sudo-1.6.3p6-33.src.rpm
da4786d3e8798e6c31d4eea338e9cd93
AXP Alpha Platform:
SuSE-7.1
ftp://ftp.suse.com/pub/suse/axp/update/7.1/ap1/sudo-1.6.3p6-36.alpha.rpm
eb020b7e212e0d9cb85578a1b49e3529
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/sudo-1.6.3p6-36.src.rpm
fb2652e480282dfecbbb7e6db8ec7bec
SuSE-7.0
ftp://ftp.suse.com/pub/suse/axp/update/7.0/ap1/sudo-1.6.3p6-37.alpha.rpm
35b6ea7ebac976d8b65f9f09b574e107
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/sudo-1.6.3p6-37.src.rpm
0ac6c3001d727f3774a57cc76eb7d4c1
Power PC Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/ap1/sudo-1.6.3p7-51.ppc.rpm
3ff70447a81e3f4c88b44af2445d4f6d
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/sudo-1.6.3p7-51.src.rpm
f71b62019ea2f49e0202f74033f07496
SuSE-7.1
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/ap1/sudo-1.6.3p6-42.ppc.rpm
3bef306a5a8b782fdda0bdd77758b290
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/sudo-1.6.3p6-42.src.rpm
d9475c12754ae3c87cac72484dc90bbc
SuSE-7.0
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/ap1/sudo-1.6.3p6-41.ppc.rpm
54d98aa831bab75529731d0789f01cbd
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/sudo-1.6.3p6-41.src.rpm
c61d3c629eefaf0eb041a630414d6580
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- stunnel
A format string error in the stunnel ssl wrapper was reported on
bugtraq in December 2001. SuSE Linux 7.2 and 7.3 as well as SLES7
contain the stunnel package in Version 3.14, which should be
vulnerable to the format string bug according to the reports on
bugtraq. However, the responsible portion of code does not expose the
format string problem with calls to fdprintf(). Therefore, SuSE
stunnel packages are not vulnerable to the security problem.
- thttpd
The thttpd daemon contained several off-by-one overflows. Due to internal
organization of the variables affected by these overflows, they seem
not exploitable. However, these bugs have been fixed. Please update to
the newest thttpd packages.
- pine
The popular mail client "pine" was found vulnerable to an attack where
shell metacharacters inside an URL could be used to execute arbitrary
commands if pine passes the URL to an external viewer on the
commandline. The pine packages on SuSE products are not vulnerable to
this weakness because they contain a patch that works around this
problem since it is not new.
______________________________________________________________________________
3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum
participants (1)
-
Sebastian Krahmer