On Sat 30 Jan 2021 at 05:27:30 (+0000), Robbi Nespu wrote: > On Fri, 29 Jan 2021 10:58:06 -0600, David Wright wrote: > > https://security-tracker.debian.org/tracker/CVE-2021-3156 > > is a timely example of how Debian deals with such problems. > > Note in particular the line > > > > stretch (security) 1.8.19p1-2.1+deb9u3 fixed > > > > showing that stretch's version gets a fix, not an upgrade. > > How you can confirm 1.8.19p1-2.1+deb9u3 fix CVE-2021-3156?
The changelog, /usr/share/doc/sudo/changelog.Debian.gz, starts with: sudo (1.8.19p1-2.1+deb9u3) stretch-security; urgency=high * Non-maintainer upload by the Security Team. * Heap-based buffer overflow (CVE-2021-3156) - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit - Add sudoedit flag checks in plugin that are consistent with front-end - Fix potential buffer overflow when unescaping backslashes in user_args - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL - Don't assume that argv is allocated as a single flat buffer -- Salvatore Bonaccorso <[…]> Sat, 23 Jan 2021 10:10:33 +0100 > I could not see source code for that version here[1], I only can find > 1.8.19p1-2.1+deb9u2 . Do source repository for security release are > separated? Yes, the sources are for the current distribution, buster. As for binaries, deb.debian.org/debian will carry the latest point release. You need to make sure you have security.debian.org/debian-security in your sources.list so that you receive all the security updates. The new source is not normally available as such, but as a cumulative set of patches. So that would be sudo_1.8.19p1-2.1+deb9u3.debian.tar.xz for stretch. It can sometimes be confusing for those not used to the Debian Way, who might judge the security of a package from only the upstream version number (ie before the hyphen). > 1. https://sources.debian.org/src/sudo/ Cheers, David.