Ubuntu
sudo package

Circumvention of sudo's secure path option

  1. Dapper (6.06)
  2. Bug #588928
Bug #588928 reported by Evan Broder
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
sudo (Ubuntu)
Fix Released
Undecided
Jamie Strandboge
Dapper
Fix Released
Undecided
Jamie Strandboge
Hardy
Fix Released
Undecided
Jamie Strandboge
Jaunty
Fix Released
Undecided
Jamie Strandboge
Karmic
Fix Released
Undecided
Jamie Strandboge
Lucid
Fix Released
Undecided
Jamie Strandboge
Maverick
Fix Released
Undecided
Jamie Strandboge

Bug Description

Binary package hint: sudo

From sudo upstream:

Most versions of the C library function getenv() return the first instance of an environment variable to the caller. However, some programs, notably the GNU Bourne Again SHell (bash), do their own environment parsing and may choose the last instance of a variable rather than the first one.

An attacker may manipulate the environment of the process that executes Sudo such that a second PATH variable is present. When Sudo runs a bash script, it is this second PATH variable that is used by bash, regardless of whether or not Sudo has overwritten the first instance of PATH. This may allow an attacker to subvert the program being run under Sudo and execute commands he/she would not otherwise be allowed to run.

Patches available at http://www.sudo.ws/repos/sudo/rev/a09c6812eaec for sudo 1.7.2 and http://www.sudo.ws/repos/sudo/rev/3057fde43cf0 for sudo 1.6.9

(http://www.sudo.ws/sudo/alerts/secure_path.html)

CVE References

Evan Broder (broder)
visibility: private → public
Anders Kaseorg (andersk)
Changed in sudo (Ubuntu):
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Dapper - Lucid were fixed in http://www.ubuntu.com/usn/usn-956-1.

Maverick will be fixed after Alpha 2 is released.

Changed in sudo (Ubuntu Lucid):
status: New → Fix Released
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in sudo (Ubuntu Dapper):
status: New → Fix Released
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in sudo (Ubuntu Hardy):
status: New → Fix Released
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in sudo (Ubuntu Jaunty):
status: New → Fix Released
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in sudo (Ubuntu Karmic):
status: New → Fix Released
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in sudo (Ubuntu Maverick):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Confirmed → Triaged
Jamie Strandboge (jdstrand)
Changed in sudo (Ubuntu Maverick):
status: Triaged → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

sudo (1.7.2p7-1ubuntu1) maverick; urgency=low

  * Merge from debian unstable. Remaining changes:
   - debian/rules:
     - compile with --without-lecture --with-tty-tickets (Ubuntu specific)
     - install man/man8/sudo_root.8 (Ubuntu specific)
     - install apport hooks
   - debian/sudo-ldap.dirs, debian/sudo.dirs: add
     usr/share/apport/package-hooks
   - debian/patches/ubuntu-sudo-as-admin-successful.patch: adjust sudo.c so
     that if the user successfully authenticated and he is in the 'admin'
     group, then create a stamp ~/.sudo_as_admin_successful. Our default bash
     profile checks for this and displays a short intro about sudo if the flag
     is not present
  * Dropped the following, now included upstream:
    - fix for CVE-2010-1163
    - fix for CVE-2010-0426
    - debian/sudo.postinst, debian/sudo-ldap.postinst: update description to
      match behavior in sudoers file
    - don't install init script. Debian moved to /var/lib/sudo from
      /var/run/sudo, so Ubuntu's tmpfs usage won't clean those out
      automatically any more, so we now need the initscript.

Changed in sudo (Ubuntu Maverick):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.