FFe: Update to sudo 1.8.16

Bug #1563825 reported by Marc Deslauriers
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sudo (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

I am requesting a FeatureFreeze exception to update sudo in Xenial to the newly released 1.8.16 version.

Not only does the new 1.8.16 version fix a large number of bugs, but it also fixes security issues:

- CVE-2015-5602: privilege escalation via symlink attack
- CVE-2015-8239: race condition checking digests/checksums in sudoers
- duplicate environment variable handling

The fixes for these issues are intrusive and difficult to backport.

Once 1.8.16 is in Xenial, I intend to backport it to Precise and Trusty as a security update to fix the long standing issue with sudo and timestamp files based on the local clock which resulting in a big refactoring of how timestamp files work in 1.8.10. (See bug 1219337)

See the following for details of the changes between 1.8.12 and 1.8.16:
https://www.sudo.ws/stable.html

I will of course monitor bugs and will fix any issues that arise.

CVE References

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Just to be clear, I will start by merging 1.8.15-1.1 from debian, and will update to 1.8.16 which isn't in Debian yet.

Revision history for this message
Martin Pitt (pitti) wrote :

Only trivial new features, mostly bug fixes. Approved.

Changed in sudo (Ubuntu):
status: New → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sudo - 1.8.16-0ubuntu1

---------------
sudo (1.8.16-0ubuntu1) xenial; urgency=medium

  * Update to new upstream version 1.8.16. (LP: #1563825)
    - Dropped patches no longer needed:
      + CVE-2015-5602-6.patch
      + CVE-2015-5602-7.patch
  * Merge from Debian unstable. Remaining changes:
    - Use tmpfs location to store timestamp files
      + debian/rules: change --with-rundir to /var/run/sudo
      + debian/rules, debian/sudo.service, debian/sudo.sudo.init: stop
        shipping init script and service file, as they are no longer
        necessary.
      + debian/*.preinst, debian/*.postinst, debian/*.postrm: remove old
        init script with dpkg-maintscript-helper.
      + debian/*.postinst: remove old /var/run/sudo to /var/lib/sudo
        transition code, remove old /var/lib/sudo/ts timestamp directory.
    - debian/rules:
      + compile with --without-lecture --with-tty-tickets --enable-admin-flag
      + install man/man8/sudo_root.8 in both flavours
      + install apport hooks
    - debian/sudoers:
      + also grant admin group sudo access
    - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs:
      + add usr/share/apport/package-hooks
    - debian/sudo.pam:
      + Use pam_env to read /etc/environment and /etc/default/locale
        environment files. Reading ~/.pam_environment is not permitted due to
        security reasons.
    - debian/control:
      + dh-autoreconf dependency fixes missing-build-dependency-for-dh_-command
    - Remaining patches:
      + keep_home_by_default.patch: Keep HOME in the default environment
      + debian/patches/also_check_sudo_group.diff: also check the sudo group
        in plugins/sudoers/sudoers.c to create the admin flag file. Leave the
        admin group check for backwards compatibility.
    - Dropped patches no longer needed:
      + debian/patches/pam_check_untranslated_prompt.patch: upstream.

sudo (1.8.15-1.1) unstable; urgency=medium

  * Non-maintainer upload
  * Disable editing of files via user-controllable symlinks
    (Closes: #804149) (CVE-2015-5602)
    - Fix directory writability checks for sudoedit
    - Enable sudoedit directory writability checks by default

sudo (1.8.15-1) unstable; urgency=low

  * new upstream version, closes: #804149
  * use --with-exampledir to deliver example files more cleanly

 -- Marc Deslauriers <email address hidden> Wed, 30 Mar 2016 08:03:52 -0400

Changed in sudo (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.