group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #02033
[Bug 1512781] Re: CVE-2015-5602 - Unauthorized Privilege Escalation
Xenial now has 1.8.16, marking released.
** Changed in: sudo (Ubuntu Xenial)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1512781
Title:
CVE-2015-5602 - Unauthorized Privilege Escalation
Status in sudo:
Unknown
Status in sudo package in Ubuntu:
Fix Released
Status in sudo source package in Precise:
Confirmed
Status in sudo source package in Trusty:
Confirmed
Status in sudo source package in Vivid:
Confirmed
Status in sudo source package in Wily:
Confirmed
Status in sudo source package in Xenial:
Fix Released
Status in sudo package in Debian:
Fix Released
Bug description:
https://www.exploit-db.com/exploits/37710/
As descpribed in the link above, sudo versions lower or equal than
1.8.14 have a security issue: user with root access to a path with
more than one wildcard can access forbidden files such as /etc/shadow,
because sudoedit (sudo -e) does not verifiy full path of accessed
file:
(quote from link above)
It seems that sudoedit does not check the full path if a wildcard is used
twice (e.g. /home/*/*/file.txt), allowing a malicious user to replace the
file.txt real file with a symbolic link to a different location (e.g.
/etc/shadow).
As an expample,
1. Give user `usr' right to edit some his files:
usr ALL=(root) NOPASSWD: sudoedit /home/*/*/test.txt
2. Under usr, create ~/temp directory, and then create a symblink
~/temp/test.txt to /etc/shadow
3. Perform sudoedit ~/temp/test.txt - you will able to access
/etc/shadow.
What realease is affected: tested on all supported now Ubuntu
versions. For personaly me, it's 14.04 LTS.
What version is affected: as mentioned, all versions <=1.8.14. For
personally me, it's 1.8.9p5
What was expected and happend instead: sudoedit should check full real
path, but it didn't.
To manage notifications about this bug go to:
https://bugs.launchpad.net/sudo/+bug/1512781/+subscriptions