Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sudo (Ubuntu) |
Fix Released
|
Wishlist
|
Marc Deslauriers |
Bug Description
This requires a merge because there are changes in the Ubuntu version not present in the Debian version.
------ Justification of patches removed from debian/
* typo-in-
* This exact patch is present in upstream version 1.9.5p2-2
* paths-in-
* This exact patch is present in upstream version 1.9.5p2-2
* Whitelist-
* This exact patch is present in upstream version 1.9.5p2-2
* CVE-2021-
* This exact patch is NOT present in upstream version 1.9.5p2-2
* The patch is made to address a vulnerability wherein users
were able to gain information about what directories existed
that they should not have had access to.
* Upstream version 1.9.5p2-2 addresses this vulnerability using
the function sudo_edit_
* Since the vulnerability is addressed in upstream version
1.9.5p2-2 it can safely be dropped
* CVE-2021-
* The code from this patch already exitsts in upstream
version 1.9.5p2-2
* CVE-2021-
* The code from this patch already exitsts in upstream
version 1.9.5p2-2
* CVE-2021-
* The code from this patch already exitsts in upstream
version 1.9.5p2-2
* CVE-2021-
* The code from this patch already exitsts in upstream
version 1.9.5p2-2
* CVE-2021-
* The code from this patch already exitsts in upstream
version 1.9.5p2-2
* ineffective_
* This exact patch is present in upstream version 1.9.5p2-2
under the name fix-no-
Changes:
* Merge from Debian unstable. (LP: #1915307)
Remaining changes:
- debian/rules:
+ use dh-autoreconf
- debian/rules: stop shipping init scripts, as they are no longer
necessary.
- debian/rules:
+ compile with --without-lecture --with-tty-tickets --enable-admin-flag
+ install man/man8/
+ install apport hooks
- debian/
+ add usr/share/
- debian/sudo.pam:
+ Use pam_env to read /etc/environment and /etc/default/locale
environment files. Reading ~/.pam_environment is not permitted due
to security reasons.
- debian/sudoers:
+ also grant admin group sudo access
+ include /snap/bin in the secure_path
sudo (1.9.5p2-2) unstable; urgency=medium
* patch from upstream repo to fix NO_ROOT_MAILER
sudo (1.9.5p2-1) unstable; urgency=high
* new upstream version, addresses CVE-2021-3156
sudo (1.9.5p1-1.1) unstable; urgency=high
* Non-maintainer upload.
* Heap-based buffer overflow (CVE-2021-3156)
- Reset valid_flags to MODE_NONINTERACTIVE for sudoedit
- Add sudoedit flag checks in plugin that are consistent with front-end
- Fix potential buffer overflow when unescaping backslashes in user_args
- Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL
- Don't assume that argv is allocated as a single flat buffer
sudo (1.9.5p1-1) unstable; urgency=medium
* new upstream version, closes: #980028
sudo (1.9.5-1) unstable; urgency=medium
* new upstream version
sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium
* SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option
- debian/
in plugins/
- No CVE number
sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium
* SECURITY UPDATE: dir existence issue via sudoedit race
- debian/
info leak in sudoedit in src/sudo_edit.c.
- CVE-2021-23239
* SECURITY UPDATE: heap-based buffer overflow
- debian/
MODE_
- debian/
plugin in plugins/
- debian/
when unescaping backslashes in plugins/
- debian/
converting a v1 timestamp to TS_LOCKEXCL in
plugins/
- debian/
allocated as a single flat buffer in src/parse_args.c.
- CVE-2021-3156
Changed in sudo (Ubuntu): | |
assignee: | nobody → William Wilson (jawn-smith) |
status: | New → In Progress |
description: | updated |
Changed in sudo (Ubuntu): | |
importance: | Undecided → Wishlist |
tags: | added: block-proposed |
tags: | removed: block-proposed |
The attachment "Diff from Debian" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]