[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[linux-security] local root exploit in sudo
- To: linux-security
- Subject: [linux-security] local root exploit in sudo
- From: Martin Siegert <siegert@sfu.ca>
- Date: Wed, 16 Jan 2002 13:52:05 -0800
- User-Agent: Mutt/1.2.5.1i
Topic
=====
local root exploit in sudo
Problem description
===================
Versions of sudo prior to 1.6.4 would not clear the environment before
sending an email notification about unauthorized sudo attempts, making it
possible for an attacker to supply parameters to the mail program. In the
worst case, this could lead to a local root exploit.
Affected Systems
================
Systems that use sudo versions < 1.6.4 .
Solution
========
Upgrade to version 1.6.4
RedHat 6.x
----------
RedHat 6.x did not come with sudo, however, sudo is available from the
powertools packages. This powertools rpm is available from sphinx in
/vol/vol1/distrib/redhat/6.2/contrib.
rpm -Fvh sudo-1.6.4-0.6x.2.i386.rpm
If you have the version installed that was previously provided in the
contrib directory (sudo-1.6.3p6-1) the command above will not output
anything, i.e., will not install the upgrade. Check for your sudo version:
rpm -q sudo
If this returns something like "sudo-1.6.3p6-1", you must upgrade sudo.
Try
rpm -Uvh sudo-1.6.4-0.6x.2.i386.rpm
On my machines this gave the bizarre repsonse:
package sudo-1.6.3p6-1 (which is newer than sudo-1.6.4-0.6x.2) is already
installed
This looks like a bug in rpm - therefore you must force the update:
rpm -Uvh --force sudo-1.6.4-0.6x.2.i386.rpm
This ought to succeed.
RedHat 7.x
----------
rpm -Fvh sudo-1.6.4-0.7x.2.i386.rpm
Debian 2.2 (potato)
-------------------
update to sudo_1.6.2p2-2.1_i386.deb
(this is a patched 1.6.2p2 version that no longer contains the bug)
Mandrake 7.x, 8.x
-----------------
rpm -Fvh sudo-1.6.4-1.1mdk.i586.rpm