Ubuntu
sudo package

*** glibc detected *** sudo: double free or corruption

Bug #553786 reported by Daniel Richard G.
74
This bug affects 12 people
Affects Status Importance Assigned to Milestone
sudo (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Fix Released
Undecided
Unassigned

Bug Description

[SRU]

[Impact]
Lucid users who create a file in /etc/sudoers.d with incorrect permissions cause sudo to segfault, preventing them from using sudo to change the permissions.
(This works properly in later versions of sudo, such as Oneiric+)

[Test case]
1- Create a file in /etc/sudoers.d with 644 permissions
2- Attempt to use sudo
3- sudo should simply print a warning, and not segfault

[Regression potental]
This is the upstream patch that has been used for quite a while, and has passed the qa-regression-testing test suite. If there are regressions, I suppose it could be in the sudoers file handling.

Original description:
Lucid beta1, sudo 1.7.2p1-1ubuntu4. I added a file with incorrect permissions under /etc/sudoers.d/, and while that needed fixing, sudo(8) certainly shouldn't react like this:

$ sudo bash
sudo: /etc/sudoers.d/admin is mode 0644, should be 0440
>>> /etc/sudoers.d/README: /etc/sudoers.d/admin near line 18 <<<
sudo: parse error in /etc/sudoers.d/README near line 18
sudo: no valid sudoers sources found, quitting
*** glibc detected *** sudo: double free or corruption (!prev): 0x0861b7b0 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(+0x6b581)[0xa3a581]
/lib/tls/i686/cmov/libc.so.6(+0x6cdd8)[0xa3bdd8]
/lib/tls/i686/cmov/libc.so.6(cfree+0x6d)[0xa3eebd]
/lib/tls/i686/cmov/libc.so.6(fclose+0x14a)[0xa2aa9a]
sudo[0x805782d]
sudo[0x80587c6]
sudo[0x805639e]
sudo[0x805a104]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0x9e5bd6]
sudo[0x804a7c1]
======= Memory map: ========
002b1000-002b7000 r-xp 00000000 08:07 16579 /lib/tls/i686/cmov/libnss_compat-2.11.1.so
002b7000-002b8000 r--p 00006000 08:07 16579 /lib/tls/i686/cmov/libnss_compat-2.11.1.so
002b8000-002b9000 rw-p 00007000 08:07 16579 /lib/tls/i686/cmov/libnss_compat-2.11.1.so
003bf000-003c9000 r-xp 00000000 08:07 16581 /lib/tls/i686/cmov/libnss_files-2.11.1.so
003c9000-003ca000 r--p 00009000 08:07 16581 /lib/tls/i686/cmov/libnss_files-2.11.1.so
003ca000-003cb000 rw-p 0000a000 08:07 16581 /lib/tls/i686/cmov/libnss_files-2.11.1.so
0045f000-00467000 r-xp 00000000 08:07 16583 /lib/tls/i686/cmov/libnss_nis-2.11.1.so
00467000-00468000 r--p 00007000 08:07 16583 /lib/tls/i686/cmov/libnss_nis-2.11.1.so
00468000-00469000 rw-p 00008000 08:07 16583 /lib/tls/i686/cmov/libnss_nis-2.11.1.so
00542000-0055f000 r-xp 00000000 08:07 16364 /lib/libgcc_s.so.1
0055f000-00560000 r--p 0001c000 08:07 16364 /lib/libgcc_s.so.1
00560000-00561000 rw-p 0001d000 08:07 16364 /lib/libgcc_s.so.1
0060b000-0060c000 r-xp 00000000 00:00 0 [vdso]
006e6000-006e8000 r-xp 00000000 08:07 16575 /lib/tls/i686/cmov/libdl-2.11.1.so
006e8000-006e9000 r--p 00001000 08:07 16575 /lib/tls/i686/cmov/libdl-2.11.1.so
006e9000-006ea000 rw-p 00002000 08:07 16575 /lib/tls/i686/cmov/libdl-2.11.1.so
0084e000-00869000 r-xp 00000000 08:07 16304 /lib/ld-2.11.1.so
00869000-0086a000 r--p 0001a000 08:07 16304 /lib/ld-2.11.1.so
0086a000-0086b000 rw-p 0001b000 08:07 16304 /lib/ld-2.11.1.so
008a5000-008ae000 r-xp 00000000 08:07 16574 /lib/tls/i686/cmov/libcrypt-2.11.1.so
008ae000-008af000 r--p 00008000 08:07 16574 /lib/tls/i686/cmov/libcrypt-2.11.1.so
008af000-008b0000 rw-p 00009000 08:07 16574 /lib/tls/i686/cmov/libcrypt-2.11.1.so
008b0000-008d7000 rw-p 00000000 00:00 0
009cf000-00b22000 r-xp 00000000 08:07 16572 /lib/tls/i686/cmov/libc-2.11.1.so
00b22000-00b23000 ---p 00153000 08:07 16572 /lib/tls/i686/cmov/libc-2.11.1.so
00b23000-00b25000 r--p 00153000 08:07 16572 /lib/tls/i686/cmov/libc-2.11.1.so
00b25000-00b26000 rw-p 00155000 08:07 16572 /lib/tls/i686/cmov/libc-2.11.1.so
00b26000-00b29000 rw-p 00000000 00:00 0
00c5d000-00c68000 r-xp 00000000 08:07 16381 /lib/libpam.so.0.82.2
00c68000-00c69000 r--p 0000a000 08:07 16381 /lib/libpam.so.0.82.2
00c69000-00c6a000 rw-p 0000b000 08:07 16381 /lib/libpam.so.0.82.2
00e4f000-00e62000 r-xp 00000000 08:07 16578 /lib/tls/i686/cmov/libnsl-2.11.1.so
00e62000-00e63000 r--p 00012000 08:07 16578 /lib/tls/i686/cmov/libnsl-2.11.1.so
00e63000-00e64000 rw-p 00013000 08:07 16578 /lib/tls/i686/cmov/libnsl-2.11.1.so
00e64000-00e66000 rw-p 00000000 00:00 0
08048000-08066000 r-xp 00000000 08:07 573495 /usr/bin/sudo
08066000-08067000 r--p 0001d000 08:07 573495 /usr/bin/sudo
08067000-08068000 rw-p 0001e000 08:07 573495 /usr/bin/sudo
08068000-0806b000 rw-p 00000000 00:00 0
08612000-08633000 rw-p 00000000 00:00 0 [heap]
b7600000-b7621000 rw-p 00000000 00:00 0
b7621000-b7700000 ---p 00000000 00:00 0
b7715000-b7754000 r--p 00000000 08:07 604029 /usr/lib/locale/en_US.utf8/LC_CTYPE
b7754000-b7755000 r--p 00000000 08:07 604030 /usr/lib/locale/en_US.utf8/LC_NUMERIC
b7755000-b7756000 r--p 00000000 08:07 604031 /usr/lib/locale/en_US.utf8/LC_TIME
b7756000-b7757000 r--p 00000000 08:07 604033 /usr/lib/locale/en_US.utf8/LC_MONETARY
b7757000-b7758000 r--p 00000000 08:07 604035 /usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES
b7758000-b775a000 rw-p 00000000 00:00 0
b775a000-b775b000 r--p 00000000 08:07 604036 /usr/lib/locale/en_US.utf8/LC_PAPER
b775b000-b775c000 r--p 00000000 08:07 604037 /usr/lib/locale/en_US.utf8/LC_NAME
b775c000-b775d000 r--p 00000000 08:07 604038 /usr/lib/locale/en_US.utf8/LC_ADDRESS
b775d000-b775e000 r--p 00000000 08:07 604039 /usr/lib/locale/en_US.utf8/LC_TELEPHONE
b775e000-b775f000 r--p 00000000 08:07 604040 /usr/lib/locale/en_US.utf8/LC_MEASUREMENT
b775f000-b7766000 r--s 00000000 08:07 571542 /usr/lib/gconv/gconv-modules.cache
b7766000-b7767000 r--p 00000000 08:07 604041 /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION
b7767000-b7769000 rw-p 00000000 00:00 0
bfe6a000-bfe7f000 rw-p 00000000 00:00 0 [stack]
Aborted

The above stack-trace spam was trivially and consistently reproducible.

See original description
Revision history for this message
Ovidiu Constantin (ovidiu-mybox) wrote :

Confirmed also on Ubuntu 10.4 - 1.7.2p1-1ubuntu5.2 . Changing the file rights from 644 to 440 "fixed" it.

Revision history for this message
Carlos Perelló Marín (carlos) wrote :

How do you change the file rights if sudo doesn't work nor you have a root password set nor you have direct access to the server to reboot into single mode?

IMHO, this bug should be set as CRITICAL, given that you are "banned" from administrate a remote server.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in sudo (Ubuntu):
status: New → Confirmed
Revision history for this message
Keith Baker (keibak) wrote :

Just happened to me on a fresh and updated lucid server installation.

This is really annoying since the server was a plain router. No keyboard or monitor was connected.

Revision history for this message
Keith Baker (keibak) wrote :

Tried same thing on desktop version of natty. There the problem seems fixed.

Still I'd consider this bug critical since lucid is the current long-term-support version.

tags: added: lucid
Revision history for this message
Jason R. Coombs (jaraco) wrote :

I've just been bitten by this bug yet again. I've had to request to my administrator to reboot our server into recovery mode to remove the file. Why isn't a bug that locks administrators out of the operating system (in an otherwise well-configured environment) not considered a critical bug? The only workaround I can think of is to know in advance that creating a file in /etc/sudoers.d might cause lockouts, so keep a separate shell as root... but I don't always remember to do that.

I would be grateful if someone would please fix this.

Revision history for this message
Steve Langasek (vorlon) wrote :

This bug appears to be fixed in precise. A message is output about the wrong permissions, but sudo itself works correctly.

Changed in sudo (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Jason R. Coombs (jaraco) wrote :

Has Ubuntu changed its meaning of LTS? This issue still exists in Lucid.

Keith Baker already pointed out that the issue was fixed at least as early as Natty. Can we get the fix back-ported to Lucid? Is there any reason this shouldn't be considered critical as it can lock out legitimate administrative users with no workaround except to run recovery (in some scenarios)?

Revision history for this message
Rüdiger Kupper (ruediger.kupper) wrote :

I have been hit by this bug and it's *extremely nasty*. I am instantly locked out of my system with no way of fixing it.

Things like these MUST NOT happen. I get from this bugreport that there is a fix.

BACKPORT THIS FIX TO LUCID!

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Upstream fix: http://www.sudo.ws/repos/sudo/rev/164d39108dde

Changed in sudo (Ubuntu Lucid):
status: New → Confirmed
Marc Deslauriers (mdeslaur)
description: updated
description: updated
Revision history for this message
Adam Conrad (adconrad) wrote : Please test proposed package

Hello Daniel, or anyone else affected,

Accepted sudo into lucid-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/sudo/1.7.2p1-1ubuntu5.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sudo (Ubuntu Lucid):
status: Confirmed → Fix Committed
tags: added: verification-needed
Revision history for this message
Bartosz Kosiorek (gang65) wrote :

After installing sudo package from proposed, there is no longer crash:

sudo ls
sudo: /etc/sudoers.d/mama is mode 0644, should be 0440
>>> /etc/sudoers.d/README: /etc/sudoers.d/mama near line 18 <<<
sudo: parse error in /etc/sudoers.d/README near line 18
sudo: no valid sudoers sources found, quitting

Verified.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Colin Watson (cjwatson) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sudo - 1.7.2p1-1ubuntu5.5

---------------
sudo (1.7.2p1-1ubuntu5.5) lucid-proposed; urgency=low

  * toke.{cl}: avoid duplicate fclose() of the sudoers file (LP: #553786)
    - http://www.sudo.ws/repos/sudo/rev/164d39108dde
 -- Marc Deslauriers <email address hidden> Thu, 22 Nov 2012 16:08:01 -0500

Changed in sudo (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.