sudo returns exit code 0 if child is killed with SIGTERM

Bug #1686803 reported by Vinson Lee on 2017-04-27
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
sudo
Unknown
Unknown
sudo (Ubuntu)
Medium
Balint Reczey
Xenial
Medium
Unassigned
Yakkety
Medium
Unassigned
Zesty
Medium
Unassigned
Artful
Medium
Balint Reczey

Bug Description

[Impact]

 * sudo returns exit code 0 if child is killed with signals other than SIGINT
 * This can break scripts assuming successful execution of the command ran by
   sudo

[Test Case]

 * Open two separate shells
   1. In shell 1. run:
     ubuntu@tough-calf:~$ sudo sleep 300; echo $?
   2. In shell 2. run:
     root@tough-calf:~# killall -TERM sleep
   3. In broken versions shell 1. shows this:
     ubuntu@tough-calf:~$ sudo sleep 300; echo $?
     0

   4. Install fixed version
   5. Execute steps 1. and 2.
   6. In fixed version shell 1. shows this:
     ubuntu@tough-calf:~$ sudo sleep 300; echo $?
     Terminated
     143

[Regression Potential]

 * sudo may exit with a different status than expected

[Other Info]

original bug description:

Please backport upstream sudo changeset 10917:50b988d0c97f "The fix for Bug #722 contained a typo/thinko that resulted in the" to xenial, yakkety, and zesty versions of sudo.

This will fix a regression documented by this upstream bug report: https://bugzilla.sudo.ws/show_bug.cgi?id=784

sudo 1.8.15 changeset 10229:153f016db8f1 "When the command sudo is running is killed by a signal, sudo will" introduced a regression where the exit status is always 0 when a command is killed by a signal other than SIGINT. https://www.sudo.ws/repos/sudo/rev/153f016db8f1

This will be fixed in sudo 1.8.20 with changeset 10917:50b988d0c97f "The fix for Bug #722 contained a typo/thinko that resulted in the". https://www.sudo.ws/repos/sudo/rev/50b988d0c97f

trusty sudo is based off sudo 1.8.9 and is not affected. xenial sudo based off sudo 1.8.16, yaketty sudo based off sudo 1.8.16, and zesty sudo based off 1.8.19 need the fix.

Vinson Lee (vlee) on 2017-04-27
description: updated
tags: added: xenial yakkety zesty
Luke Faraone (lfaraone) on 2017-04-27
information type: Public → Public Security
Luke Faraone (lfaraone) wrote :

This may have security implications in edge cases. E.g. if an application is checking the status code of `sudo` and using `0` as "good to go", this may allow for access to a resource to be permitted when it should not be.

summary: - Backport changeset 10917:50b988d0c97f "The fix for Bug #722 contained a
- typo/thinko that resulted in the"
+ sudo returns exit code 0 if child is killed with SIGTERM
tags: added: regression-release
Changed in sudo (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Balint Reczey (rbalint) wrote :

If the Security Team does not want to handle this themselves I will happily provide the SRUs.

tags: added: rls-aa-incoming
Vinson Lee (vlee) on 2017-05-30
tags: added: artful
Steve Langasek (vorlon) on 2017-06-09
Changed in sudo (Ubuntu):
assignee: nobody → Balint Reczey (rbalint)
Balint Reczey (rbalint) wrote :

Artful will get the fix by merge in LP: #1697587.

Balint Reczey (rbalint) on 2017-06-13
description: updated
Balint Reczey (rbalint) wrote :
Balint Reczey (rbalint) wrote :
Balint Reczey (rbalint) wrote :
Changed in sudo (Ubuntu Artful):
assignee: Balint Reczey (rbalint) → nobody

Updating the bug; let's keep this assigned to Balint; I uploaded the sudo update to artful as well as the SRUs (and subscribed ~ubuntu-sru)

tags: removed: rls-aa-incoming
Changed in sudo (Ubuntu Artful):
assignee: nobody → Balint Reczey (rbalint)
Changed in sudo (Ubuntu Zesty):
assignee: nobody → Balint Reczey (rbalint)
Changed in sudo (Ubuntu Yakkety):
assignee: nobody → Balint Reczey (rbalint)
Changed in sudo (Ubuntu Xenial):
assignee: nobody → Balint Reczey (rbalint)

Hello Vinson, or anyone else affected,

Accepted sudo into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sudo/1.8.19p1-1ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sudo (Ubuntu Artful):
status: Triaged → Fix Released
Changed in sudo (Ubuntu Zesty):
status: New → Fix Committed
tags: added: verification-needed verification-needed-zesty
Andy Whitcroft (apw) wrote :

Holding this update in yakkety because the security update it is based on seems to have dropped a change from tjaalton for bug: #1686803.

Andy Whitcroft (apw) wrote :

Hello Vinson, or anyone else affected,

Accepted sudo into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sudo/1.8.16-0ubuntu3.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-yakkety to verification-done-yakkety. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-yakkety. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sudo (Ubuntu Yakkety):
status: New → Fix Committed
tags: added: verification-needed-yakkety
Changed in sudo (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed-xenial
Andy Whitcroft (apw) wrote :

Hello Vinson, or anyone else affected,

Accepted sudo into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sudo/1.8.16-0ubuntu1.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Simon Déziel (sdeziel) wrote :

It works well on Xenial with sudo 1.8.16-0ubuntu1.5, thanks.

tags: added: verification-done-xenial
removed: verification-needed-xenial
Changed in sudo (Ubuntu Zesty):
importance: Undecided → Medium
Changed in sudo (Ubuntu Yakkety):
importance: Undecided → Medium
Changed in sudo (Ubuntu Xenial):
importance: Undecided → Medium
Robie Basak (racb) wrote :

Thank you for the verification, Simon!

15:13 <infinity> rbasak: My general rule of thumb is that cosmetic/"polish" changes only need to go to devel and the stable series' you care to fix, but real behavioural bug fixes can't skip supported releases.

15:13 <infinity> Because someone upgrading from xenial to yakkety shouldn't be subject to a functional regression.

I think this applies to this case. I'll wait for Yakkety and Zesty to be verified before releasing Xenial.

Balint Reczey (rbalint) wrote :

The verification is simple and I did verify the patches but I don't count since I prepared the fix. :-)
I've removed myself as assignee to encourage others to to perform the verification.

Changed in sudo (Ubuntu Yakkety):
assignee: Balint Reczey (rbalint) → nobody
Changed in sudo (Ubuntu Xenial):
assignee: Balint Reczey (rbalint) → nobody
Changed in sudo (Ubuntu Zesty):
assignee: Balint Reczey (rbalint) → nobody
Vinson Lee (vlee) wrote :

Verified sudo_1.8.19p1-1ubuntu1.2_amd64.deb fixes the bug on zesty.

tags: added: verification-done-zesty
removed: verification-needed-zesty
Vinson Lee (vlee) wrote :

Verified sudo_1.8.16-0ubuntu3.3_amd64.deb fixes the bug on yakkety.

tags: added: verification-done-yakkety
removed: verification-needed-yakkety
tags: removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sudo - 1.8.19p1-1ubuntu1.2

---------------
sudo (1.8.19p1-1ubuntu1.2) zesty; urgency=medium

  * Terminate with the same signal as the command (LP: #1686803)
    This fixes a regression introduced in sudo 1.8.15 changeset
    10229:153f016db8f1.

 -- Balint Reczey <email address hidden> Tue, 13 Jun 2017 10:00:00 +0200

Changed in sudo (Ubuntu Zesty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for sudo has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sudo - 1.8.16-0ubuntu1.5

---------------
sudo (1.8.16-0ubuntu1.5) xenial; urgency=medium

  * Terminate with the same signal as the command (LP: #1686803)
    This fixes a regression introduced in sudo 1.8.15 changeset
    10229:153f016db8f1.

 -- Balint Reczey <email address hidden> Tue, 13 Jun 2017 11:10:50 +0200

Changed in sudo (Ubuntu Xenial):
status: Fix Committed → Fix Released
Changed in sudo (Ubuntu Yakkety):
status: Fix Committed → Won't Fix
PeterWoodman (peter-shortbus) wrote :

Hey, I'm not sure this was ever fixed in Xenial. Seems to still be bad.

`pwoodman@iad4c-ra16-40b:~$ sudo sleep 300; echo $?
0
pwoodman@iad4c-ra16-40b:~$ sleep 300; echo $?
Terminated
143
pwoodman@iad4c-ra16-40b:~$ apt-cache policy sudo
sudo:
  Installed: 1.8.16-0ubuntu1.6
  Candidate: 1.8.16-0ubuntu1.6
  Version table:
 *** 1.8.16-0ubuntu1.6 500
        500 http://apt-u16-iad.vip.dbxnw.net/annex-apt-xenial/apt/xenial xenial-security/main amd64 Packages
        500 http://apt-u16-iad.vip.dbxnw.net/annex-apt-xenial/apt/xenial xenial-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.8.16-0ubuntu1.3dbx11 500
        500 http://apt-u16-iad.vip.dbxnw.net/annex-apt-dbx-xenial/apt/dbx-xenial dbx-xenial/main amd64 Packages
     1.8.16-0ubuntu1 500
        500 http://apt-u16-iad.vip.dbxnw.net/annex-apt-xenial/apt/xenial xenial/main amd64 Packages
pwoodman@iad4c-ra16-40b:~$ sudo apt install sudo=1.8.16-0ubuntu1.3dbx11
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libwireshark6 libwiretap5 libwsutil6 linux-headers-4.4.0-133 linux-headers-4.4.0-133-generic
Use 'sudo apt autoremove' to remove them.
The following packages will be DOWNGRADED:
  sudo
0 upgraded, 0 newly installed, 1 downgraded, 0 to remove and 193 not upgraded.
Need to get 1,003 kB of archives.
After this operation, 1,268 kB of additional disk space will be used.
Get:1 http://apt-u16-iad.vip.dbxnw.net/annex-apt-dbx-xenial/apt/dbx-xenial dbx-xenial/main amd64 sudo amd64 1.8.16-0ubuntu1.3dbx11 [1,003 kB]
Fetched 1,003 kB in 0s (14.7 MB/s)
dpkg: warning: downgrading sudo from 1.8.16-0ubuntu1.6 to 1.8.16-0ubuntu1.3dbx11
(Reading database ... 327971 files and directories currently installed.)
Preparing to unpack .../sudo_1.8.16-0ubuntu1.3dbx11_amd64.deb ...
Unpacking sudo (1.8.16-0ubuntu1.3dbx11) over (1.8.16-0ubuntu1.6) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up sudo (1.8.16-0ubuntu1.3dbx11) ...
pwoodman@iad4c-ra16-40b:~$ sleep 300; echo $?
Terminated
143
pwoodman@iad4c-ra16-40b:~$ sudo sleep 300; echo $?
Terminated
143```

that other package is our own local fix.

PeterWoodman (peter-shortbus) wrote :

scratch that, this was a regression in -ubuntu16, will open another ticket

Balint Reczey (rbalint) wrote :

@peter-shortbus OK, please follow the procedure in the SRU regression policy: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures#Regressions

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.