Your message dated Sun, 10 Mar 2013 17:02:21 +0000 with message-id <[email protected]> and subject line Bug#701839: fixed in sudo 1.7.4p4-2.squeeze.4 has caused the Debian Bug report #701839, regarding sudo: CVE-2013-1776 potential bypass of sudo tty_tickets constraints to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 701839: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701839 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: sudo Severity: important Tags: security Hi, the following vulnerability was published for sudo. CVE-2013-1776[0]: (from the upstream report) Sudo 1.8.6p7 and 1.7.10p6 are now available which include a fix for the following bug: Potential bypass of sudo tty_tickets constraints Summary: When a user successfully authenticates with sudo, a time stamp file is updated to allow that user to continue running sudo without requiring a password for a preset time period (five minutes by default). This time stamp file can either be common to all of a user's terminals, or it can be specific to the particular terminal the user authenticated themselves on. The terminal-specific time stamp file behavior can be controlled using the "tty_tickets" option in the sudoers file. This option has been enabled by default since sudo 1.7.4. Prior to sudo 1.7.4, the default was to use a single time stamp for all the user's sessions. A vulnerability exists because the user can control which terminal the standard input, output and error file descriptors (0-2) refer to. A malicious user could use this to run commands via sudo without authenticating, so long as there exists a terminal the user has access to where a sudo command was successfully run by that same user within the password timeout period (usually five minutes). The vulnerability does not permit a user to run commands other than those allowed by the sudoers policy. Sudo versions affected: Sudo 1.3.5 through 1.7.10p6 and sudo 1.8.0 through 1.8.6p7 when the "tty_tickets" option is enabled. This option is enabled by default in sudo 1.7.4 and above. Details: The vulnerability can be triggered when the standard input, output and error file descriptors (0-2) of a process are closed and a different terminal device is opened and connected to those descriptors. When sudo tries to determine the terminal device via the ttyname() function, it will get the name of the other terminal instead. The core problem is that while ttyname() can be used to determine the name of the terminal device connected to a specific file descriptor, there is no portable way to determine the name of the terminal associated with the session the process belongs to. However, on many systems it is possible to determine this by using the /proc file system or the sysctl() function. Most operating systems that have the /proc file system provide a way to determine the controlling terminal device number for a process; this information is used by the ps command for example. On Linux, this is the tty_nr field in /proc/self/stat (the seventh entry). On systems with an SVR4-style /proc, this is the pr_ttydev member of struct psinfo, which comes from /proc/self/psinfo. Most BSD systems that support the sysctl() function also provide a way to get the terminal device number via the KERN_PROC_PID sysctl. By mapping this device number to a file name, it is possible to get the name of the terminal file without resorting to ttyname(). Sudo began using this method to determine the process's terminal starting with version 1.8.5 and 1.7.10. However, sudo still used the ttyname() function as a fall back when no controlling terminal was found via /proc or sysctl(). This allowed a malicious process to cause sudo to use ttyname() simply by creating a new session without a controlling tty before executing sudo. In sudo 1.8.6p6 and 1.7.10p5, this fall back behavior was removed. This fixed the vulnerability for systems where the process's controlling terminal could be determined via /proc or sysctl(). Sudo 1.8.6p7 and 1.7.10p6 contain an additional fix for systems without /proc or sysctl() that stores the POSIX session ID in the time stamp file itself. The controlling terminal is specific to the POSIX session it is associated with. It is not possible for two processes in different sessions to have the same controlling terminal. Sudo will now compare the current session ID with the one in the time stamp file and ignore the time stamp file if the session ID does not match. This has the additional benefit of making it much less likely that a user will be able to reuse the time stamp file after logging out and back in again on the same terminal. Impact: A (potentially malicious) program run by a user with sudo access may be able to bypass the "tty_ticket" constraints. In order for this to succeed there must exist on the machine a terminal device that the user has previously authenticated themselves on via sudo within the last time stamp timeout (5 minutes by default). This program may use sudo's -n flag to "probe" the terminals in question to see if there is an active time stamp file for the user. Prior to sudo 1.8.6 and 1.7.10, if a password was required when the -n flag was specified the failure would not be logged, allowing the program to perform such probes without being detected. The successful command (if any), would still be logged. Fix: The bug is fixed in sudo 1.8.6p7 and 1.7.10p6. Credit: Ryan Castellucci brought the initial ttyname() issue to my attention. Subsequently, James Ogden discovered that using setsid() to create a new session would cause sudo to fall back to using ttyname(). Other shortcomings in sudo's "tty_tickets" functionality have been known and discussed openly for some time. There is a long discussion about them at: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/87023 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1776 http://security-tracker.debian.org/tracker/CVE-2013-1776 Please adjust the affected versions in the BTS as needed. -- Nico Golde - http://www.ngolde.de - [email protected] - GPG: 0xA0A0AAAA
pgpGy2Z4f1LGC.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: sudo Source-Version: 1.7.4p4-2.squeeze.4 We believe that the bug you reported is fixed in the latest version of sudo, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Gilbert <[email protected]> (supplier of updated sudo package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 06 Mar 2013 18:41:15 +0000 Source: sudo Binary: sudo sudo-ldap Architecture: source amd64 Version: 1.7.4p4-2.squeeze.4 Distribution: stable-security Urgency: high Maintainer: Bdale Garbee <[email protected]> Changed-By: Michael Gilbert <[email protected]> Description: sudo - Provide limited super user privileges to specific users sudo-ldap - Provide limited super user privileges to specific users Closes: 701838 701839 Changes: sudo (1.7.4p4-2.squeeze.4) stable-security; urgency=high . * Fix cve-2013-1775: authentication bypass when the clock is set to the UNIX epoch [00:00:00 UTC on 1 January 1970] (closes: #701838). * Fix cve-2013-1776: session id hijacking from another authorized tty (closes: #701839). Checksums-Sha1: 38d3ef0ea1632746b4cdba65c23f2bfbd8ee0741 2409 sudo_1.7.4p4-2.squeeze.4.dsc 45b34139fb11e054c139e8cd490b66f1ab4310b3 26820 sudo_1.7.4p4-2.squeeze.4.debian.tar.gz 2787aff0d629ca809a5c8379363e973c53ab4b86 610580 sudo_1.7.4p4-2.squeeze.4_amd64.deb 7835c2b5dcac20992edc5f1a34e5770402f07052 636122 sudo-ldap_1.7.4p4-2.squeeze.4_amd64.deb Checksums-Sha256: 0c3296d2b60c8714c8ce05da7fe16cdd93fa9d1f8dfa77dac335eb50474742fd 2409 sudo_1.7.4p4-2.squeeze.4.dsc 2f5ecd85e449c578358d08cfaf720a38a2a1a7d1b5b98588a4d37c806358eee9 26820 sudo_1.7.4p4-2.squeeze.4.debian.tar.gz 897938338ce027885bfdd01bf1fe14b69fad88df9b06a6452ebd443a34d890b0 610580 sudo_1.7.4p4-2.squeeze.4_amd64.deb e29664e57d452a062b93b82c803176ec050a862ed346c5b59e09e92a37792dc8 636122 sudo-ldap_1.7.4p4-2.squeeze.4_amd64.deb Files: 8d68f623c42268605baabe3b56e5f0f9 2409 admin optional sudo_1.7.4p4-2.squeeze.4.dsc 339ce612cd70937d3658c9e2b76f6424 26820 admin optional sudo_1.7.4p4-2.squeeze.4.debian.tar.gz 07c29e218682def30096615f476f7ba2 610580 admin optional sudo_1.7.4p4-2.squeeze.4_amd64.deb 80d0993d6602ea0469407f2a04959fc9 636122 admin optional sudo-ldap_1.7.4p4-2.squeeze.4_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQQcBAEBAgAGBQJRN5U9AAoJELjWss0C1vRzBQYf/iy2W3WlxDrw3b5ulsdn6bpI DBraaNIhGTdmQGHjcHnh02Rnnxz8Zsa7AYR2tAt01kDrRYZEW2D3ue+5+3baaS0k pOUEmT+S7SNYUcIpL4sg2z/kRTZvbLZaFKcED7em8LiTp52FZbFBoGTB4jWqGe3s MGfgdd5bR/HO/qk4rB5q6bW4NJNg6QJ4X7RkbXkfbeuUERh1ALJ4DJdejI7sS97f NGD2wVtOdK6r0MiclBnihZfKcm/W4ahKR6JY02PRMiQiIMmb2IgJ+t2wW7L3QluL /s7OLFEUZq51mfah85/IGvQJc1B7eC+Rq/Q+4d6i/1MXOia5dhVqVAP8SxBluTor iAxITezIRJD6vM6nV2Hd+YjwhE7yb4OAuiaZqz5nQx7ppykOWvzUqT11KFuLTBw1 RfUC4aJbJwRK5CfKvBoWopXc/ujlGOhrPxHyEKbGzYLHsWVmPY1+Q0JoD9dp2hhB HYHTdgvHFv3qr6OgtxnWcYk7MbiwjLd0lH8nhST8uDBk+jlV9+nTyRHN2Nbjg6DZ 0hLQ87pHRRt54cjpfhp2kVDFkEpAmeGsNo0hoC5+A9PWaen0Gfd2ALoDncfRtAWC RFnRZ+HC/x8KG5sYfl8By1gvwvU+c69ba0iYTHN8/YY5ajUBdPc1X9oFbsSH8TMY lG7wBdjjUu4mQkDM7RK7gbGHY8uH2+sA0z7osEPy7TPgvetD3v05GuuJPRwv7RxR 0X19QnIhK6uDcV7FI/NewEoq73Wdclpuxdjp0ODFlhpVPq2ZSI7V68stARhOEAaH bv/IhFre8AJaRA2/9nIqySOm3bdWPeQ3DxECjheLtfCN6fcpSIxr/NrraCFytmY8 OKIFPJEaTxGSkVUBRq/WzxqXJ6t1jmYr1UaqezB2MnTeDyU69as1ZZqQ2F2OBoYz /mCpuZ1RxDa90gDS5W6VsrO9NaT53kNAiHBd0Ck5aTrcbBmzdXjEMXR0NCeYSn2+ VZ25wmNvrgtrVmL/KKVr2doDFNMeiR119LFKXn7+6ZST0l5DuvSNIVtr51egDDn4 dh7qs3GHE00NCNfW2rMwLec21+LMihwj+65Hto6VV1J6Q5dsw8tpWFuxDl8YiuLr Rmu1hi//JdCah62a9h9sKJkELqZHpR7yQt/Vu4/0j8LoUkEUds49hmd/e5fqeUY+ YZ4KMd13QexhaYE1kg26v91d9dbiiPv8n4OIIvkq3PKV5HoRJgvFLsRnnhTgTVyu L3bHb4kfPu66j97EL7hAiKQq7H+BevwnqYbjy5C4gjBcoB1wP+HPJl6b8w+lLD8F s8vxcmCyvJUHrwgiW0SvsI90CvjCYQx0I9Gc+EnIwiY2150cifJbKJQdTeYzFwk= =bZxh -----END PGP SIGNATURE-----
--- End Message ---
