LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Ubuntu alert USN-1442-1 (sudo)



From:
    	      Tyler Hicks <tyhicks@canonical.com> 


To:
    	      ubuntu-security-announce@lists.ubuntu.com 


Subject:
    	      [USN-1442-1] Sudo vulnerability 


Date:
    	      Wed, 16 May 2012 14:29:08 -0500


Message-ID:
    	      <20120516192907.GA28714@boyd>


Archive-link:
    	      Article, Thread
              


==========================================================================
Ubuntu Security Notice USN-1442-1
May 16, 2012

sudo vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS

Summary:

Sudo could allow users to run arbitrary programs as the administrator.

Software Description:
- sudo: Provide limited super user privileges to specific users

Details:

It was discovered that sudo incorrectly handled network masks when using Host
and Host_List. A local user who is listed in sudoers may be allowed to run
commands on unintended hosts when IPv4 network masks are used to grant access.
A local attacker could exploit this to bypass intended access restrictions. Host
and Host_List are not used in the default installation of Ubuntu.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
  sudo                            1.8.3p1-1ubuntu3.2
  sudo-ldap                       1.8.3p1-1ubuntu3.2

Ubuntu 11.10:
  sudo                            1.7.4p6-1ubuntu2.1
  sudo-ldap                       1.7.4p6-1ubuntu2.1

Ubuntu 11.04:
  sudo                            1.7.4p4-5ubuntu7.2
  sudo-ldap                       1.7.4p4-5ubuntu7.2

Ubuntu 10.04 LTS:
  sudo                            1.7.2p1-1ubuntu5.4
  sudo-ldap                       1.7.2p1-1ubuntu5.4

Ubuntu 8.04 LTS:
  sudo                            1.6.9p10-1ubuntu3.9
  sudo-ldap                       1.6.9p10-1ubuntu3.9

In general, a standard system update will make all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-1442-1
  CVE-2012-2337

Package Information:
  https://launchpad.net/ubuntu/+source/sudo/1.8.3p1-1ubuntu3.2
  https://launchpad.net/ubuntu/+source/sudo/1.7.4p6-1ubuntu2.1
  https://launchpad.net/ubuntu/+source/sudo/1.7.4p4-5ubuntu7.2
  https://launchpad.net/ubuntu/+source/sudo/1.7.2p1-1ubuntu5.4
  https://launchpad.net/ubuntu/+source/sudo/1.6.9p10-1ubunt...

-- 
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security...
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds