Home > Security > Advisories

Advisories

Mandriva Advisories

Package name sudo
Date June 21st, 2005
Advisory ID MDKSA-2005:103
Affected versions 10.0, 10.1, CS2.1, CS3.0, MNF2.0, 10.2
Synopsis Updated sudo packages fix race condition vulnerability

Problem Description

A race condition was discovered in sudo by Charles Morris. This could
lead to the escalation of privileges if /etc/sudoers allowed a user to
execute selected programs that were then followed by another line
containing the pseudo-command "ALL". By creating symbolic links at a
certain time, that user could execute arbitrary commands.

The updated packages have been patched to correct this problem.

Updated Packages

Mandrakelinux 10.0

 0fdbddfa1ca2298a05261c77c2eb0b43  10.0/RPMS/sudo-1.6.7-0.p5.2.2.100mdk.i586.rpm
523d0cfc297e81c3381d5df89078b3bc  10.0/SRPMS/sudo-1.6.7-0.p5.2.2.100mdk.src.rpm

Mandrakelinux 10.0/AMD64

 69b25ae195069271c0a037aaa1912722  amd64/10.0/RPMS/sudo-1.6.7-0.p5.2.2.100mdk.amd64.rpm
523d0cfc297e81c3381d5df89078b3bc  amd64/10.0/SRPMS/sudo-1.6.7-0.p5.2.2.100mdk.src.rpm

Mandrakelinux 10.1

 07e35abe22a51cbb66d8969cb6cd7738  10.1/RPMS/sudo-1.6.8p1-1.2.101mdk.i586.rpm
5d636e00903aa9f1e954b658754379f0  10.1/SRPMS/sudo-1.6.8p1-1.2.101mdk.src.rpm

Mandrakelinux 10.1/X86_64

 3fe900becdac7248053415e5c37029ca  x86_64/10.1/RPMS/sudo-1.6.8p1-1.2.101mdk.x86_64.rpm
5d636e00903aa9f1e954b658754379f0  x86_64/10.1/SRPMS/sudo-1.6.8p1-1.2.101mdk.src.rpm

Corporate Server 2.1

 0574ea8f264d1ac850bc7401da9dfd46  corporate/2.1/RPMS/sudo-1.6.6-2.2.C21mdk.i586.rpm
7520cfd6be4d4d2ce87787ebf1dccca2  corporate/2.1/SRPMS/sudo-1.6.6-2.2.C21mdk.src.rpm

Corporate Server 2.1/X86_64

 e971d73a7bd06d23d40d102bf113af75  x86_64/corporate/2.1/RPMS/sudo-1.6.6-2.2.C21mdk.x86_64.rpm
7520cfd6be4d4d2ce87787ebf1dccca2  x86_64/corporate/2.1/SRPMS/sudo-1.6.6-2.2.C21mdk.src.rpm

Corporate Server 3.0

 551c661042bae4c9da2fab38fcfbf08a  corporate/3.0/RPMS/sudo-1.6.7-0.p5.2.2.C30mdk.i586.rpm
ded9307a4c361548d164765a421e0f9e  corporate/3.0/SRPMS/sudo-1.6.7-0.p5.2.2.C30mdk.src.rpm

Corporate Server 3.0/X86_64

 f392eecc2886cf8c73a4c27c3d86112d  x86_64/corporate/3.0/RPMS/sudo-1.6.7-0.p5.2.2.C30mdk.x86_64.rpm
ded9307a4c361548d164765a421e0f9e  x86_64/corporate/3.0/SRPMS/sudo-1.6.7-0.p5.2.2.C30mdk.src.rpm

Multi Network Firewall 2.0

 7511b6ad68dca19c656c0f12fca0638f  mnf/2.0/RPMS/sudo-1.6.7-0.p5.2.2.M20mdk.i586.rpm
98d72851a4f7f7a0850c10f4b898b361  mnf/2.0/SRPMS/sudo-1.6.7-0.p5.2.2.M20mdk.src.rpm

Mandriva Linux LE2005

 fa3d69895a19bd321666c565e9919cdb  10.2/RPMS/sudo-1.6.8p1-2.1.102mdk.i586.rpm
c9abd9d5ad76e4c5d8da20af10ba4601  10.2/SRPMS/sudo-1.6.8p1-2.1.102mdk.src.rpm

Mandriva Linux LE2005/X86_64

 56cba44d316f3d1623f20a3e5c102721  x86_64/10.2/RPMS/sudo-1.6.8p1-2.1.102mdk.x86_64.rpm
c9abd9d5ad76e4c5d8da20af10ba4601  x86_64/10.2/SRPMS/sudo-1.6.8p1-2.1.102mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1993
http://www.sudo.ws/sudo/alerts/path_race.html

Upgrade

To upgrade automatically, use MandrivaUpdate.


Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.