FFe: Update to sudo 1.8.16

Bug #1563825 reported by Marc Deslauriers on 2016-03-30
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sudo (Ubuntu)

Bug Description

I am requesting a FeatureFreeze exception to update sudo in Xenial to the newly released 1.8.16 version.

Not only does the new 1.8.16 version fix a large number of bugs, but it also fixes security issues:

- CVE-2015-5602: privilege escalation via symlink attack
- CVE-2015-8239: race condition checking digests/checksums in sudoers
- duplicate environment variable handling

The fixes for these issues are intrusive and difficult to backport.

Once 1.8.16 is in Xenial, I intend to backport it to Precise and Trusty as a security update to fix the long standing issue with sudo and timestamp files based on the local clock which resulting in a big refactoring of how timestamp files work in 1.8.10. (See bug 1219337)

See the following for details of the changes between 1.8.12 and 1.8.16:

I will of course monitor bugs and will fix any issues that arise.

CVE References

Marc Deslauriers (mdeslaur) wrote :

Just to be clear, I will start by merging 1.8.15-1.1 from debian, and will update to 1.8.16 which isn't in Debian yet.

Martin Pitt (pitti) wrote :

Only trivial new features, mostly bug fixes. Approved.

Changed in sudo (Ubuntu):
status: New → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sudo - 1.8.16-0ubuntu1

sudo (1.8.16-0ubuntu1) xenial; urgency=medium

  * Update to new upstream version 1.8.16. (LP: #1563825)
    - Dropped patches no longer needed:
      + CVE-2015-5602-6.patch
      + CVE-2015-5602-7.patch
  * Merge from Debian unstable. Remaining changes:
    - Use tmpfs location to store timestamp files
      + debian/rules: change --with-rundir to /var/run/sudo
      + debian/rules, debian/sudo.service, debian/sudo.sudo.init: stop
        shipping init script and service file, as they are no longer
      + debian/*.preinst, debian/*.postinst, debian/*.postrm: remove old
        init script with dpkg-maintscript-helper.
      + debian/*.postinst: remove old /var/run/sudo to /var/lib/sudo
        transition code, remove old /var/lib/sudo/ts timestamp directory.
    - debian/rules:
      + compile with --without-lecture --with-tty-tickets --enable-admin-flag
      + install man/man8/sudo_root.8 in both flavours
      + install apport hooks
    - debian/sudoers:
      + also grant admin group sudo access
    - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs:
      + add usr/share/apport/package-hooks
    - debian/sudo.pam:
      + Use pam_env to read /etc/environment and /etc/default/locale
        environment files. Reading ~/.pam_environment is not permitted due to
        security reasons.
    - debian/control:
      + dh-autoreconf dependency fixes missing-build-dependency-for-dh_-command
    - Remaining patches:
      + keep_home_by_default.patch: Keep HOME in the default environment
      + debian/patches/also_check_sudo_group.diff: also check the sudo group
        in plugins/sudoers/sudoers.c to create the admin flag file. Leave the
        admin group check for backwards compatibility.
    - Dropped patches no longer needed:
      + debian/patches/pam_check_untranslated_prompt.patch: upstream.

sudo (1.8.15-1.1) unstable; urgency=medium

  * Non-maintainer upload
  * Disable editing of files via user-controllable symlinks
    (Closes: #804149) (CVE-2015-5602)
    - Fix directory writability checks for sudoedit
    - Enable sudoedit directory writability checks by default

sudo (1.8.15-1) unstable; urgency=low

  * new upstream version, closes: #804149
  * use --with-exampledir to deliver example files more cleanly

 -- Marc Deslauriers <email address hidden> Wed, 30 Mar 2016 08:03:52 -0400

Changed in sudo (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers