Articles / Ubuntu: New sudo packages f…

Ubuntu: New sudo packages fix various security issues

It was discovered that sudo did not properly validate the path for the sudoedit pseudo-command. A local attacker could exploit this to execute arbitrary code as root if sudo was configured to allow the attacker to use sudoedit. It was discovered that sudo did not reset group permissions when the runas_default configuration option was used. A local attacker could exploit this to escalate group privileges if sudo was configured to allow the attacker to run commands under the runas_default account. Updated packages are available from security.ubuntu.com.

===========================================================
Ubuntu Security Notice USN-905-1          February 26, 2010
sudo vulnerabilities
CVE-2010-0426, CVE-2010-0427
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
 sudo                            1.6.8p12-1ubuntu6.1
 sudo-ldap                       1.6.8p12-1ubuntu6.1

Ubuntu 8.04 LTS:
 sudo                            1.6.9p10-1ubuntu3.6
 sudo-ldap                       1.6.9p10-1ubuntu3.6

Ubuntu 8.10:
 sudo                            1.6.9p17-1ubuntu2.2
 sudo-ldap                       1.6.9p17-1ubuntu2.2

Ubuntu 9.04:
 sudo                            1.6.9p17-1ubuntu3.1
 sudo-ldap                       1.6.9p17-1ubuntu3.1

Ubuntu 9.10:
 sudo                            1.7.0-1ubuntu2.1
 sudo-ldap                       1.7.0-1ubuntu2.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that sudo did not properly validate the path for the
'sudoedit' pseudo-command. A local attacker could exploit this to execute
arbitrary code as root if sudo was configured to allow the attacker to use
sudoedit. The sudoedit pseudo-command is not used in the default
installation of Ubuntu. (CVE-2010-0426)

It was discovered that sudo did not reset group permissions when the
'runas_default' configuration option was used. A local attacker could
exploit this to escalate group privileges if sudo was configured to allow
the attacker to run commands under the runas_default account. The
runas_default configuration option is not used in the default installation
of Ubuntu. This issue affected Ubuntu 8.04 LTS, 8.10 and 9.04.
(CVE-2010-0427)


Updated packages for Ubuntu 6.06 LTS:

 Source archives:

   http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.1.diff.gz
     Size/MD5:    36465 14d0df16c74cd33e67550cc3011e79bb
   http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.1.dsc
     Size/MD5:      618 d3ff741b9d7e1d3e01abd562318018c2
   http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12.orig.tar.gz
     Size/MD5:   585643 b29893c06192df6230dd5f340f3badf5

 amd64 architecture (Athlon64, Opteron, EM64T Xeon):

   http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.1_amd64.deb
     Size/MD5:   177298 33ba18356cb72b861d6ecda89529b0fb
   http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.8p12-1ubuntu6.1_amd64.deb
     Size/MD5:   189148 aeefad19f406872cac0eded167f4e065

 i386 architecture (x86 compatible Intel/AMD):

   http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.1_i386.deb
     Size/MD5:   162882 b873dc9cb110544216feef747d32e5a2
   http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.8p12-1ubuntu6.1_i386.deb
     Size/MD5:   174316 293c645a4a4d57ccb27e473b5ea9c508

 powerpc architecture (Apple Macintosh G3/G4/G5):

   http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.1_powerpc.deb
     Size/MD5:   171444 ad26abb760441edbf15f7e098b1e1532
   http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.8p12-1ubuntu6.1_powerpc.deb
     Size/MD5:   183624 8d045143fc6daf29a153184055bfea53

 sparc architecture (Sun SPARC/UltraSPARC):

   http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p12-1ubuntu6.1_sparc.deb
     Size/MD5:   167550 c27e7f387cb19b5bf3d932957181b5a6
   http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.8p12-1ubuntu6.1_sparc.deb
     Size/MD5:   180092 fc286f32e79a3010f81f20413168aa04

Updated packages for Ubuntu 8.04 LTS:

 Source archives:

   http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.6.diff.gz
     Size/MD5:    29374 e6db1630f2b05c8e9839f4fe4aca266a
   http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.6.dsc
     Size/MD5:      702 20547db3a024d46b8217acf1e83b83ef
   http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p10.orig.tar.gz
     Size/MD5:   579302 16db2a1213159a1fac8239eab58108f5

 amd64 architecture (Athlon64, Opteron, EM64T Xeon):

   http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.6_amd64.deb
     Size/MD5:   188358 23215819c29dc7de3a4af5ca1a57032c
   http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p10-1ubuntu3.6_amd64.deb
     Size/MD5:   200026 7c6057e1ed38e8cda9a4d205faf1ac13

 i386 architecture (x86 compatible Intel/AMD):

   http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.6_i386.deb
     Size/MD5:   176538 1e833016ee022766c2ca1a7e29b596ed
   http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p10-1ubuntu3.6_i386.deb
     Size/MD5:   187408 0e0472b16b1add85df28b0675589956d

 lpia architecture (Low Power Intel Architecture):

   http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.6_lpia.deb
     Size/MD5:   177632 8b2edc241c35137afd81c396a0043431
   http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p10-1ubuntu3.6_lpia.deb
     Size/MD5:   188378 ad2a9d36a94c36e1bcecc1bca64b2d95

 powerpc architecture (Apple Macintosh G3/G4/G5):

   http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.6_powerpc.deb
     Size/MD5:   188556 9f0e4fb02064fc1b40829de2c1e92805
   http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p10-1ubuntu3.6_powerpc.deb
     Size/MD5:   202394 ef74f61e9c34ee11ef51d38377a0be55

 sparc architecture (Sun SPARC/UltraSPARC):

   http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p10-1ubuntu3.6_sparc.deb
     Size/MD5:   182512 24f0ed4658aae0c538ca564e4c5950c3
   http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p10-1ubuntu3.6_sparc.deb
     Size/MD5:   193640 a2b3b6604ff6c4546e5a8d061fdb7cab

Updated packages for Ubuntu 8.10:

 Source archives:

   http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.2.diff.gz
     Size/MD5:    26459 e127fb89620f45f5d9184bd87b45464a
   http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.2.dsc
     Size/MD5:     1098 2959f2bc61d7ccecfb8fc554b446d463
   http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17.orig.tar.gz
     Size/MD5:   593534 60daf18f28e2c1eb7641c4408e244110

 amd64 architecture (Athlon64, Opteron, EM64T Xeon):

   http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.2_amd64.deb
     Size/MD5:   191296 c1d1c53708d512a746da226117d130d0
   http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu2.2_amd64.deb
     Size/MD5:   202256 f4d5961be5ef3eee80906f2c6d39a4b8

 i386 architecture (x86 compatible Intel/AMD):

   http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.2_i386.deb
     Size/MD5:   179370 d21813fed543bfed0e0704a1ce0341ef
   http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu2.2_i386.deb
     Size/MD5:   188842 55a32e9081772f8611e1006d3ddcfb50

 lpia architecture (Low Power Intel Architecture):

   http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.2_lpia.deb
     Size/MD5:   180432 ab0bcf69bfba1bc48e9a6a3ba3030c5f
   http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu2.2_lpia.deb
     Size/MD5:   189652 8dc329d7a87d2d5bf2eb70071361b792

 powerpc architecture (Apple Macintosh G3/G4/G5):

   http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.2_powerpc.deb
     Size/MD5:   188732 81d7e525bdfb3421d46e5c7623963e63
   http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu2.2_powerpc.deb
     Size/MD5:   201208 69d7905dce680b3d9f30f6476e486ae6

 sparc architecture (Sun SPARC/UltraSPARC):

   http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu2.2_sparc.deb
     Size/MD5:   184208 1d87f6e84ad37cceb1ab1b16083336ad
   http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu2.2_sparc.deb
     Size/MD5:   193944 b6c81515751ff1b11d6b7b8bf9893206

Updated packages for Ubuntu 9.04:

 Source archives:

   http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.1.diff.gz
     Size/MD5:    26464 d01e9f40ceb7ee72cd544dccc0ff61ec
   http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.1.dsc
     Size/MD5:     1098 7d36e3ce35d2745b8ad1ee6f3341713d
   http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17.orig.tar.gz
     Size/MD5:   593534 60daf18f28e2c1eb7641c4408e244110

 amd64 architecture (Athlon64, Opteron, EM64T Xeon):

   http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.1_amd64.deb
     Size/MD5:   191292 db0dd72e435fc48ac109d67b9d896573
   http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu3.1_amd64.deb
     Size/MD5:   202254 5ba756fd3ddf796ea948f0f3da4cdd80

 i386 architecture (x86 compatible Intel/AMD):

   http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.1_i386.deb
     Size/MD5:   179392 d8984ef79dfd27e314343b3e8f42bb41
   http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu3.1_i386.deb
     Size/MD5:   188846 ce40b21ebc2e2a95be415c768661a785

 lpia architecture (Low Power Intel Architecture):

   http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.1_lpia.deb
     Size/MD5:   180456 6fded1767a6b44cf99f25a82476a52da
   http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu3.1_lpia.deb
     Size/MD5:   189674 e271b1fa6d7f17917163dbb37863eb2e

 powerpc architecture (Apple Macintosh G3/G4/G5):

   http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.1_powerpc.deb
     Size/MD5:   188744 039f52f42d3eeded8ce75e96e276e53d
   http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu3.1_powerpc.deb
     Size/MD5:   201216 2a649addcffab0eaa94f36a45c3848cd

 sparc architecture (Sun SPARC/UltraSPARC):

   http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.6.9p17-1ubuntu3.1_sparc.deb
     Size/MD5:   184136 ca187dd7a7b3eca1b6788bb8b7615f7e
   http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.6.9p17-1ubuntu3.1_sparc.deb
     Size/MD5:   193798 ebf79bbc5f19b50d8ffa60bad381966b

Updated packages for Ubuntu 9.10:

 Source archives:

   http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.1.diff.gz
     Size/MD5:    23742 31fa50ea42efb75a6995ce43e05f8d3a
   http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.1.dsc
     Size/MD5:     1117 ac9f701eef71f472756479f9c07d5ff3
   http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0.orig.tar.gz
     Size/MD5:   744311 5fd96bba35fe29b464f7aa6ad255f0a6

 amd64 architecture (Athlon64, Opteron, EM64T Xeon):

   http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.1_amd64.deb
     Size/MD5:   310278 7f1b840d6412b168c70d2f136cb0a3a5
   http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.1_amd64.deb
     Size/MD5:   333962 a01561815cf0e835cb889663eaf81d06

 i386 architecture (x86 compatible Intel/AMD):

   http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.1_i386.deb
     Size/MD5:   297694 d514dde2dfc8ec32c92de9d71d8f5832
   http://security.ubuntu.com/ubuntu/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.1_i386.deb
     Size/MD5:   319300 e3a4e6d67ed8644c9bed06337cadc156

 lpia architecture (Low Power Intel Architecture):

   http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.1_lpia.deb
     Size/MD5:   297858 82f884376f3ab60cd35466d70446514d
   http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.1_lpia.deb
     Size/MD5:   319686 f9ec4970846681134c868621c8d5989e

 powerpc architecture (Apple Macintosh G3/G4/G5):

   http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.1_powerpc.deb
     Size/MD5:   305874 88b6f4ad953f85c7b32898b7b3823163
   http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.1_powerpc.deb
     Size/MD5:   328914 b973b5fa801148e11d3747ab89b84a3f

 sparc architecture (Sun SPARC/UltraSPARC):

   http://ports.ubuntu.com/pool/main/s/sudo/sudo_1.7.0-1ubuntu2.1_sparc.deb
     Size/MD5:   301460 e5cf051efacfdca66a3aa186d01f5a80
   http://ports.ubuntu.com/pool/universe/s/sudo/sudo-ldap_1.7.0-1ubuntu2.1_sparc.deb
     Size/MD5:   323606 b82e9af9f7f18ebf31aee38835aaf901
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.