Ubuntu
sudo package

[Quantal] sudo is vulnerable to CVE-2012-2337

Bug #1000276 reported by Tyler Hicks on 2012-05-16

264

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	sudo (Ubuntu)	Fix Released	Medium	Tyler Hicks

Bug Description

The upstream advisory contains a clear description:

http://www.sudo.ws/sudo/alerts/netmask.html

Tags:

Related branches

lp:ubuntu/quantal/sudo

CVE References

2012-2337

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2012-05-16:

#1

sudo_1.8.3p1-1ubuntu5.debdiff Edit (2.8 KiB, text/plain)

This debdiff has passed umt's local build checks. I'll comment on the results of testing the locally built package inside of a quantal chroot shortly.

Tyler Hicks (tyhicks) on 2012-05-16

visibility:	private → public
Changed in sudo (Ubuntu):
assignee:	nobody → Tyler Hicks (tyhicks)

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2012-05-16:

#2

The attachment "sudo_1.8.3p1-1ubuntu5.debdiff" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags:

added: patch

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2012-05-16:

#3

The test-sudo.py QRT test script passed, as well as some manual testing that I performed. The debdiff is ready for sponsorship.

Changed in sudo (Ubuntu):
assignee:	Tyler Hicks (tyhicks) → nobody

Jamie Strandboge (jdstrand) on 2012-05-18

Changed in sudo (Ubuntu):
assignee:	nobody → Tyler Hicks (tyhicks)
status:	Confirmed → In Progress

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-05-18:

#4

ACK

Changed in sudo (Ubuntu):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-05-18:

#5

This bug was fixed in the package sudo - 1.8.3p1-1ubuntu5

---------------
sudo (1.8.3p1-1ubuntu5) quantal; urgency=low

  * SECURITY UPDATE: Properly handle netmasks in sudoers Host and Host_List
    values (LP: #1000276)
    - debian/patches/CVE-2012-2337.patch: Don't perform IPv6 checks on IPv4
      addresses. Based on upstream patch.
    - CVE-2012-2337
-- Tyler Hicks <email address hidden> Wed, 16 May 2012 09:42:17 -0500

Changed in sudo (Ubuntu):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

sudo_1.8.3p1-1ubuntu5.debdiff Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.