Advisories

Mandriva Advisories

Package name	sudo
Date	August 31st, 2006
Advisory ID	MDKSA-2006:159
Affected versions	CS3.0, MNF2.0, 2006.0
Synopsis	Updated sudo packages whitelist environments

Problem Description

Previous sudo updates were made available to sanitize certain
environment variables from affecting a sudo call, such as
PYTHONINSPECT, PERL5OPT, etc. While those updates were effective in
addressing those specific environment variables, other variables that
were not blacklisted were being made available.

Debian addressed this issue by forcing sudo to use a whitlist approach
in DSA-946-2 by arbitrarily making env_reset the default (as opposed
to having to be enabled in /etc/sudoers). Mandriva has opted to follow
the same approach so now only certain variables are, by default, made
available, such as HOME, LOGNAME, SHELL, TERM, DISPLAY, XAUTHORITY,
XAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER, as well as the SUDO_*
variables.

If other variables are required to be kept, this can be done by editing
/etc/sudoers and using the env_keep option, such as:

Defaults env_keep="FOO BAR"

As well, the Corporate 3 packages are now compiled with the SECURE_PATH
setting.

Updated packages are patched to address this issue.

Updated Packages

Corporate Server 3.0

 df8964b76a758340a3a283147dce03d5  corporate/3.0/RPMS/sudo-1.6.7-0.p5.2.5.C30mdk.i586.rpm
 3d4fe9dd6e7f729266af98a318be1b48  corporate/3.0/SRPMS/sudo-1.6.7-0.p5.2.5.C30mdk.src.rpm

Corporate Server 3.0/X86_64

 f8b93aad21eb48289a537e586d3c58ae  x86_64/corporate/3.0/RPMS/sudo-1.6.7-0.p5.2.5.C30mdk.x86_64.rpm
 3d4fe9dd6e7f729266af98a318be1b48  x86_64/corporate/3.0/SRPMS/sudo-1.6.7-0.p5.2.5.C30mdk.src.rpm

Multi Network Firewall 2.0

 57e770ca1e0d0bf487be6b1c4691926c  mnf/2.0/RPMS/sudo-1.6.7-0.p5.2.5.M20mdk.i586.rpm
 d5a3d6889677117b6d19f953794c4ef4  mnf/2.0/SRPMS/sudo-1.6.7-0.p5.2.5.M20mdk.src.rpm

Mandriva Linux 2006

 859526089cecbc00c11b0c76509f97b1  2006.0/RPMS/sudo-1.6.8p8-2.3.20060mdk.i586.rpm
 7dce7457a74d625018aee6690bcc35d7  2006.0/SRPMS/sudo-1.6.8p8-2.3.20060mdk.src.rpm

Mandriva Linux 2006/X86_64

 8ab6e95323473f6f1f72c255aa4453ae  x86_64/2006.0/RPMS/sudo-1.6.8p8-2.3.20060mdk.x86_64.rpm
 7dce7457a74d625018aee6690bcc35d7  x86_64/2006.0/SRPMS/sudo-1.6.8p8-2.3.20060mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-4158
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0151
http://www.debian.org/security/2006/dsa-946

Upgrade

To upgrade automatically, use MandrivaUpdate.

Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.

URL:

https://mandriva.com/security/advisories

Short link:

https://mandriva.com/content/view/full/1075

Intersites Menu

Mandriva

Tools

Top menu

Advisories

Footer