Ubuntu
sudo package

Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)

Bug #1915307 reported by William Wilson
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sudo (Ubuntu)
Fix Released
Wishlist
Marc Deslauriers

Bug Description

This requires a merge because there are changes in the Ubuntu version not present in the Debian version.

------ Justification of patches removed from debian/patches/series ------
* typo-in-classic-insults.diff
  * This exact patch is present in upstream version 1.9.5p2-2
* paths-in-samples.diff
  * This exact patch is present in upstream version 1.9.5p2-2
* Whitelist-DPKG_COLORS-environment-variable.diff
  * This exact patch is present in upstream version 1.9.5p2-2
* CVE-2021-23239.patch
  * This exact patch is NOT present in upstream version 1.9.5p2-2
    * The patch is made to address a vulnerability wherein users
      were able to gain information about what directories existed
      that they should not have had access to.
    * Upstream version 1.9.5p2-2 addresses this vulnerability using
      the function sudo_edit_parent_valid in the file src/sudo_edit.c
    * Since the vulnerability is addressed in upstream version
      1.9.5p2-2 it can safely be dropped
* CVE-2021-3156-1.patch
  * The code from this patch already exitsts in upstream
    version 1.9.5p2-2
* CVE-2021-3156-2.patch
  * The code from this patch already exitsts in upstream
    version 1.9.5p2-2
* CVE-2021-3156-3.patch
  * The code from this patch already exitsts in upstream
    version 1.9.5p2-2
* CVE-2021-3156-4.patch
  * The code from this patch already exitsts in upstream
    version 1.9.5p2-2
* CVE-2021-3156-5.patch
  * The code from this patch already exitsts in upstream
    version 1.9.5p2-2
* ineffective_no_root_mailer.patch
  * This exact patch is present in upstream version 1.9.5p2-2
    under the name fix-no-root-mailer.diff

Changes:
  * Merge from Debian unstable. (LP: #1915307)
    Remaining changes:
    - debian/rules:
      + use dh-autoreconf
    - debian/rules: stop shipping init scripts, as they are no longer
      necessary.
    - debian/rules:
      + compile with --without-lecture --with-tty-tickets --enable-admin-flag
      + install man/man8/sudo_root.8 in both flavours
      + install apport hooks
    - debian/sudo-ldap.dirs, debian/sudo.dirs:
      + add usr/share/apport/package-hooks
    - debian/sudo.pam:
      + Use pam_env to read /etc/environment and /etc/default/locale
        environment files. Reading ~/.pam_environment is not permitted due
        to security reasons.
    - debian/sudoers:
      + also grant admin group sudo access
      + include /snap/bin in the secure_path

sudo (1.9.5p2-2) unstable; urgency=medium

  * patch from upstream repo to fix NO_ROOT_MAILER

sudo (1.9.5p2-1) unstable; urgency=high

  * new upstream version, addresses CVE-2021-3156

sudo (1.9.5p1-1.1) unstable; urgency=high

  * Non-maintainer upload.
  * Heap-based buffer overflow (CVE-2021-3156)
    - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit
    - Add sudoedit flag checks in plugin that are consistent with front-end
    - Fix potential buffer overflow when unescaping backslashes in user_args
    - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL
    - Don't assume that argv is allocated as a single flat buffer

sudo (1.9.5p1-1) unstable; urgency=medium

  * new upstream version, closes: #980028

sudo (1.9.5-1) unstable; urgency=medium

  * new upstream version

sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium

  * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option
    - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER
      in plugins/sudoers/logging.c, plugins/sudoers/policy.c.
    - No CVE number

sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium

  * SECURITY UPDATE: dir existence issue via sudoedit race
    - debian/patches/CVE-2021-23239.patch: fix potential directory existing
      info leak in sudoedit in src/sudo_edit.c.
    - CVE-2021-23239
  * SECURITY UPDATE: heap-based buffer overflow
    - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to
      MODE_NONINTERACTIVE for sudoedit in src/parse_args.c.
    - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in
      plugin in plugins/sudoers/policy.c.
    - debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow
      when unescaping backslashes in plugins/sudoers/sudoers.c.
    - debian/patches/CVE-2021-3156-4.patch: fix the memset offset when
      converting a v1 timestamp to TS_LOCKEXCL in
      plugins/sudoers/timestamp.c.
    - debian/patches/CVE-2021-3156-5.patch: don't assume that argv is
      allocated as a single flat buffer in src/parse_args.c.
    - CVE-2021-3156

See original description
Tags: patch
William Wilson (jawn-smith)
Changed in sudo (Ubuntu):
assignee: nobody → William Wilson (jawn-smith)
status: New → In Progress
William Wilson (jawn-smith)
description: updated
Revision history for this message
William Wilson (jawn-smith) wrote :
Revision history for this message
William Wilson (jawn-smith) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Diff from Debian" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Michael Hudson-Doyle (mwhudson) wrote :

Hi, this looks mostly very good! I have some tiny nitpicks:

1) It's good to mention the patches that are being dropped in the changelog entry.
2) There are some whitespace changes in the bottom of the changelog that you could drop if you felt like it.

Revision history for this message
William Wilson (jawn-smith) wrote :

This new diff from debian drops the whitespace changes and adds the dropped CVE patches to the changelog

Mathew Hodson (mhodson)
Changed in sudo (Ubuntu):
importance: Undecided → Wishlist
Revision history for this message
Michael Hudson-Doyle (mwhudson) wrote :

Thanks, this looks good to me but out of an abundance of caution (this is sudo, after all), I'm going to get Marc from the security team to take a look -- it seems the upstream fixes for the CVE are a bit different from the ones currently in Ubuntu and I'd like him to verify that we think upstream got this right :-)

Changed in sudo (Ubuntu):
assignee: William Wilson (jawn-smith) → Marc Deslauriers (mdeslaur)
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Debdiff in comment #5 looks good. There was a missing double space between your email and the date in debian/changelog that was causing a lintian error.

I fixed the missing space and uploaded it to hirsute.

Thanks!

Changed in sudo (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
iLogin (cerebellum-l) wrote :

 sudo 1.9.5p2-2ubuntu1

sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set

...

Revision history for this message
Alex Murray (alexmurray) wrote :

@iLogin - this is likely caused by https://bugs.launchpad.net/ubuntu/+source/fakeroot/+bug/1915250

Revision history for this message
iLogin (cerebellum-l) wrote :

Yep

Revision history for this message
Thomas Ward (teward) wrote :

Confirmed the regression that iLogin sees.

From within a hirsute daily LXD container with full apt update and apt dist-upgrade done to it, with `sudo apt install -t hirsute-proposed sudo` done to get the sudo AND updated libc it requires):

root@hirsute-test:~# ls -al $(which sudo)
-rwsr-xr-x 1 2001 2501 190952 Feb 10 11:42 /usr/bin/sudo
root@hirsute-test:~# sudo
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set

Which means the package does not work as intended, and will break.

Revision history for this message
Thomas Ward (teward) wrote :

The version of sudo in the repos already prior to this (1.9.4p2-2ubuntu3) works as expected, though, with proper permissions being set:

root@hirsute-test:~# apt-cache policy sudo
sudo:
  Installed: 1.9.4p2-2ubuntu3
  Candidate: 1.9.4p2-2ubuntu3
  Version table:
     1.9.5p2-2ubuntu1 400
        400 http://us.archive.ubuntu.com/ubuntu hirsute-proposed/main amd64 Packages
 *** 1.9.4p2-2ubuntu3 500
        500 http://us.archive.ubuntu.com/ubuntu hirsute/main amd64 Packages
        100 /var/lib/dpkg/status
root@hirsute-test:~# ls -al $(which sudo)
-rwsr-xr-x 1 root root 182760 Jan 30 19:35 /usr/bin/sudo

Sebastien Bacher (seb128)
tags: added: block-proposed
Revision history for this message
Thomas Ward (teward) wrote :

Looks like the permissions issue is caused by https://bugs.launchpad.net/ubuntu/+source/fakeroot/+bug/1915250 and everything is now frozen until that is fixed.

Dimitri John Ledkov (xnox)
tags: removed: block-proposed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sudo - 1.9.5p2-2ubuntu3

---------------
sudo (1.9.5p2-2ubuntu3) hirsute; urgency=medium

  * No change rebuild with fixed ownership.

 -- Dimitri John Ledkov <email address hidden> Thu, 18 Feb 2021 00:03:21 +0000

Changed in sudo (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.