tags 673766 + patch tags 673766 + pending user ubuntu-de...@lists.ubuntu.com usertag 673766 + ubuntu-patch thanks
Dear maintainer, I've prepared an NMU for sudo (versioned as 1.8.3p2-1.1). Please consider uploading this Security fix. Regards. diff -Nru sudo-1.8.3p2/debian/changelog sudo-1.8.3p2/debian/changelog --- sudo-1.8.3p2/debian/changelog 2012-01-30 16:11:54.000000000 +0000 +++ sudo-1.8.3p2/debian/changelog 2012-05-22 12:26:47.000000000 +0100 @@ -1,3 +1,14 @@ +sudo (1.8.3p2-1.1) unstable; urgency=low + + * Non-maintainer upload. + * SECURITY UPDATE: Properly handle netmasks in sudoers Host and Host_List + values (LP: #1000276, Closes: #673766) + - debian/patches/CVE-2012-2337.patch: Don't perform IPv6 checks on IPv4 + addresses. Based on upstream patch. + - CVE-2012-2337 + + -- Dmitrijs Ledkovs <dmitrijs.ledk...@canonical.com> Tue, 22 May 2012 12:23:00 +0100 + sudo (1.8.3p2-1) unstable; urgency=high * new upstream version, closes: #657985 (CVE-2012-0809) diff -Nru sudo-1.8.3p2/debian/patches/CVE-2012-2337.patch sudo-1.8.3p2/debian/patches/CVE-2012-2337.patch --- sudo-1.8.3p2/debian/patches/CVE-2012-2337.patch 1970-01-01 01:00:00.000000000 +0100 +++ sudo-1.8.3p2/debian/patches/CVE-2012-2337.patch 2012-05-22 12:21:08.000000000 +0100 @@ -0,0 +1,47 @@ +Description: Prevent IPv6 netmask-based address matching logic from incorrectly + being applied to IPv4 addresses. +Author: Todd C. Miller <todd.mil...@courtesan.com> +Origin: upstream, http://www.sudo.ws/repos/sudo/rev/672a4793931a + +Index: sudo-1.8.3p1/plugins/sudoers/match_addr.c +=================================================================== +--- sudo-1.8.3p1.orig/plugins/sudoers/match_addr.c 2011-10-21 08:01:25.000000000 -0500 ++++ sudo-1.8.3p1/plugins/sudoers/match_addr.c 2012-05-16 09:45:03.289738323 -0500 +@@ -73,7 +73,7 @@ + for (ifp = interfaces; ifp != NULL; ifp = ifp->next) { + if (ifp->family != family) + continue; +- switch(family) { ++ switch (family) { + case AF_INET: + if (ifp->addr.ip4.s_addr == addr.ip4.s_addr || + (ifp->addr.ip4.s_addr & ifp->netmask.ip4.s_addr) +@@ -91,6 +91,7 @@ + } + if (j == sizeof(addr.ip6.s6_addr)) + return TRUE; ++ break; + #endif + } + } +@@ -154,10 +155,11 @@ + for (ifp = interfaces; ifp != NULL; ifp = ifp->next) { + if (ifp->family != family) + continue; +- switch(family) { ++ switch (family) { + case AF_INET: + if ((ifp->addr.ip4.s_addr & mask.ip4.s_addr) == addr.ip4.s_addr) + return TRUE; ++ break; + #ifdef HAVE_IN6_ADDR + case AF_INET6: + for (j = 0; j < sizeof(addr.ip6.s6_addr); j++) { +@@ -166,6 +168,7 @@ + } + if (j == sizeof(addr.ip6.s6_addr)) + return TRUE; ++ break; + #endif /* HAVE_IN6_ADDR */ + } + } diff -Nru sudo-1.8.3p2/debian/patches/series sudo-1.8.3p2/debian/patches/series --- sudo-1.8.3p2/debian/patches/series 2011-10-23 00:49:16.000000000 +0100 +++ sudo-1.8.3p2/debian/patches/series 2012-05-22 12:22:07.000000000 +0100 @@ -1,2 +1,3 @@ typo-in-classic-insults.diff paths-in-samples.diff +CVE-2012-2337.patch -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/debian-bugs-rc