Home > Security > Advisories

Advisories

Mandriva Advisories

Package name sudo
Date October 27th, 2005
Advisory ID MDKSA-2005:201
Affected versions 10.1, CS2.1, CS3.0, MNF2.0, 10.2, 2006.0
Synopsis Updated sudo packages fix vulnerability

Problem Description

Tavis Ormandy discovered that sudo does not perform sufficient
environment cleaning; in particular the SHELLOPTS and PS4 variables are
still passed to the program running as an alternate user which can
result in the execution of arbitrary commands as the alternate user
when a bash script is executed.

The updated packages have been patched to correct this problem.

Updated Packages

Mandrakelinux 10.1

 3ac90a3cd189ea0326d927370fdb250e  10.1/RPMS/sudo-1.6.8p1-1.3.101mdk.i586.rpm
 d0f1e39453c3efa42829959452b10f85  10.1/SRPMS/sudo-1.6.8p1-1.3.101mdk.src.rpm

Mandrakelinux 10.1/X86_64

 e4522d2cc1241b549143cdfd384b1e84  x86_64/10.1/RPMS/sudo-1.6.8p1-1.3.101mdk.x86_64.rpm
 d0f1e39453c3efa42829959452b10f85  x86_64/10.1/SRPMS/sudo-1.6.8p1-1.3.101mdk.src.rpm

Corporate Server 2.1

 f7a973c064788876a3927e23698165e7  corporate/2.1/RPMS/sudo-1.6.6-2.3.C21mdk.i586.rpm
 9d41a3e0d779287d5d6defe3effeadb6  corporate/2.1/SRPMS/sudo-1.6.6-2.3.C21mdk.src.rpm

Corporate Server 2.1/X86_64

 11dee7cd0ef65739fbcb74eb4435abb7  x86_64/corporate/2.1/RPMS/sudo-1.6.6-2.3.C21mdk.x86_64.rpm
 9d41a3e0d779287d5d6defe3effeadb6  x86_64/corporate/2.1/SRPMS/sudo-1.6.6-2.3.C21mdk.src.rpm

Corporate Server 3.0

 7f961e981298b0e17db2206b0c173c94  corporate/3.0/RPMS/sudo-1.6.7-0.p5.2.3.C30mdk.i586.rpm
 541ec48ae7f199c9e02209552541c93a  corporate/3.0/SRPMS/sudo-1.6.7-0.p5.2.3.C30mdk.src.rpm

Corporate Server 3.0/X86_64

 0baca1e5dd528d9a0746812c3f70b6aa  x86_64/corporate/3.0/RPMS/sudo-1.6.7-0.p5.2.3.C30mdk.x86_64.rpm
 541ec48ae7f199c9e02209552541c93a  x86_64/corporate/3.0/SRPMS/sudo-1.6.7-0.p5.2.3.C30mdk.src.rpm

Multi Network Firewall 2.0

 73f5119120b2f173d2a5b529bc4b94b1  mnf/2.0/RPMS/sudo-1.6.7-0.p5.2.3.M20mdk.i586.rpm
 6711bd6886115f5e5ec429eb739af719  mnf/2.0/SRPMS/sudo-1.6.7-0.p5.2.3.M20mdk.src.rpm

Mandriva Linux LE2005

 d1145addcb3d305aa1149baaad74bee4  10.2/RPMS/sudo-1.6.8p1-2.2.102mdk.i586.rpm
 7cfd46cb455cc00b091849726d4763f5  10.2/SRPMS/sudo-1.6.8p1-2.2.102mdk.src.rpm

Mandriva Linux LE2005/X86_64

 9d59bab72f413dd21013add16252a48a  x86_64/10.2/RPMS/sudo-1.6.8p1-2.2.102mdk.x86_64.rpm
 7cfd46cb455cc00b091849726d4763f5  x86_64/10.2/SRPMS/sudo-1.6.8p1-2.2.102mdk.src.rpm

Mandriva Linux 2006

 bf2035af2ac556c3bcb013e80c4fbbd9  2006.0/RPMS/sudo-1.6.8p8-2.1.20060mdk.i586.rpm
 4c708ebf20c38db338e909e6e461888f  2006.0/SRPMS/sudo-1.6.8p8-2.1.20060mdk.src.rpm

Mandriva Linux 2006/X86_64

 569e58db33c0a58b0548e3ea699e86fa  x86_64/2006.0/RPMS/sudo-1.6.8p8-2.1.20060mdk.x86_64.rpm
 4c708ebf20c38db338e909e6e461888f  x86_64/2006.0/SRPMS/sudo-1.6.8p8-2.1.20060mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2959

Upgrade

To upgrade automatically, use MandrivaUpdate.


Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.