2021-02-10 18:05:00 |
William Wilson |
bug |
|
|
added bug |
2021-02-10 18:05:08 |
William Wilson |
sudo (Ubuntu): assignee |
|
William Wilson (jawn-smith) |
|
2021-02-10 18:05:13 |
William Wilson |
sudo (Ubuntu): status |
New |
In Progress |
|
2021-02-10 22:37:48 |
William Wilson |
description |
This requires a merge because there are changes in the Ubuntu version not present in the Debian version. |
This requires a merge because there are changes in the Ubuntu version not present in the Debian version.
------ Justification of patches removed from debian/patches/series ------
* typo-in-classic-insults.diff
* This exact patch is present in upstream version 1.9.5p2-2
* paths-in-samples.diff
* This exact patch is present in upstream version 1.9.5p2-2
* Whitelist-DPKG_COLORS-environment-variable.diff
* This exact patch is present in upstream version 1.9.5p2-2
* CVE-2021-23239.patch
* This exact patch is NOT present in upstream version 1.9.5p2-2
* The patch is made to address a vulnerability wherein users
were able to gain information about what directories existed
that they should not have had access to.
* Upstream version 1.9.5p2-2 addresses this vulnerability using
the function sudo_edit_parent_valid in the file src/sudo_edit.c
* Since the vulnerability is addressed in upstream version
1.9.5p2-2 it can safely be dropped
* CVE-2021-3156-1.patch
* The code from this patch already exitsts in upstream
version 1.9.5p2-2
* CVE-2021-3156-2.patch
* The code from this patch already exitsts in upstream
version 1.9.5p2-2
* CVE-2021-3156-3.patch
* The code from this patch already exitsts in upstream
version 1.9.5p2-2
* CVE-2021-3156-4.patch
* The code from this patch already exitsts in upstream
version 1.9.5p2-2
* CVE-2021-3156-5.patch
* The code from this patch already exitsts in upstream
version 1.9.5p2-2
* ineffective_no_root_mailer.patch
* This exact patch is present in upstream version 1.9.5p2-2
under the name fix-no-root-mailer.diff
Changes:
* Merge from Debian unstable. (LP: #1915307)
Remaining changes:
- debian/rules:
+ use dh-autoreconf
- debian/rules: stop shipping init scripts, as they are no longer
necessary.
- debian/rules:
+ compile with --without-lecture --with-tty-tickets --enable-admin-flag
+ install man/man8/sudo_root.8 in both flavours
+ install apport hooks
- debian/sudo-ldap.dirs, debian/sudo.dirs:
+ add usr/share/apport/package-hooks
- debian/sudo.pam:
+ Use pam_env to read /etc/environment and /etc/default/locale
environment files. Reading ~/.pam_environment is not permitted due
to security reasons.
- debian/sudoers:
+ also grant admin group sudo access
+ include /snap/bin in the secure_path
sudo (1.9.5p2-2) unstable; urgency=medium
* patch from upstream repo to fix NO_ROOT_MAILER
sudo (1.9.5p2-1) unstable; urgency=high
* new upstream version, addresses CVE-2021-3156
sudo (1.9.5p1-1.1) unstable; urgency=high
* Non-maintainer upload.
* Heap-based buffer overflow (CVE-2021-3156)
- Reset valid_flags to MODE_NONINTERACTIVE for sudoedit
- Add sudoedit flag checks in plugin that are consistent with front-end
- Fix potential buffer overflow when unescaping backslashes in user_args
- Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL
- Don't assume that argv is allocated as a single flat buffer
sudo (1.9.5p1-1) unstable; urgency=medium
* new upstream version, closes: #980028
sudo (1.9.5-1) unstable; urgency=medium
* new upstream version
sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium
* SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option
- debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER
in plugins/sudoers/logging.c, plugins/sudoers/policy.c.
- No CVE number
sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium
* SECURITY UPDATE: dir existence issue via sudoedit race
- debian/patches/CVE-2021-23239.patch: fix potential directory existing
info leak in sudoedit in src/sudo_edit.c.
- CVE-2021-23239
* SECURITY UPDATE: heap-based buffer overflow
- debian/patches/CVE-2021-3156-1.patch: reset valid_flags to
MODE_NONINTERACTIVE for sudoedit in src/parse_args.c.
- debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in
plugin in plugins/sudoers/policy.c.
- debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow
when unescaping backslashes in plugins/sudoers/sudoers.c.
- debian/patches/CVE-2021-3156-4.patch: fix the memset offset when
converting a v1 timestamp to TS_LOCKEXCL in
plugins/sudoers/timestamp.c.
- debian/patches/CVE-2021-3156-5.patch: don't assume that argv is
allocated as a single flat buffer in src/parse_args.c.
- CVE-2021-3156 |
|
2021-02-11 15:54:05 |
William Wilson |
attachment added |
|
Diff from Debian https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1915307/+attachment/5462721/+files/debian-ubuntu.debdiff |
|
2021-02-11 15:54:57 |
William Wilson |
attachment added |
|
Diff from latest Ubuntu version https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1915307/+attachment/5462731/+files/ubuntu-ubuntu.debdiff |
|
2021-02-11 16:28:24 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
2021-02-11 16:28:32 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2021-02-12 15:43:14 |
William Wilson |
attachment added |
|
Diff from Debian take two https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1915307/+attachment/5463220/+files/debian-ubuntu.debdiff |
|
2021-02-12 20:46:24 |
Mathew Hodson |
sudo (Ubuntu): importance |
Undecided |
Wishlist |
|
2021-02-15 00:19:24 |
Michael Hudson-Doyle |
sudo (Ubuntu): assignee |
William Wilson (jawn-smith) |
Marc Deslauriers (mdeslaur) |
|
2021-02-15 01:22:45 |
Michael Hudson-Doyle |
bug |
|
|
added subscriber Michael Hudson-Doyle |
2021-02-15 18:29:38 |
Marc Deslauriers |
sudo (Ubuntu): status |
In Progress |
Fix Committed |
|
2021-02-16 02:13:09 |
iLogin |
attachment added |
|
Screenshot_20210216_040220.png https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1915307/+attachment/5464005/+files/Screenshot_20210216_040220.png |
|
2021-02-16 07:19:25 |
Sebastien Bacher |
tags |
patch |
block-proposed patch |
|
2021-02-18 16:04:58 |
Dimitri John Ledkov |
tags |
block-proposed patch |
patch |
|
2021-02-20 13:27:37 |
Launchpad Janitor |
sudo (Ubuntu): status |
Fix Committed |
Fix Released |
|