[Bug 1915307] Re: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)

Sebastien Bacher 1915307 at bugs.launchpad.net
Tue Feb 16 07:19:25 UTC 2021 

** Tags added: block-proposed

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1915307

Title:
  Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)

Status in sudo package in Ubuntu:
  Fix Committed

Bug description:
  This requires a merge because there are changes in the Ubuntu version
  not present in the Debian version.

  ------ Justification of patches removed from debian/patches/series ------
  * typo-in-classic-insults.diff
    * This exact patch is present in upstream version 1.9.5p2-2
  * paths-in-samples.diff
    * This exact patch is present in upstream version 1.9.5p2-2
  * Whitelist-DPKG_COLORS-environment-variable.diff
    * This exact patch is present in upstream version 1.9.5p2-2
  * CVE-2021-23239.patch
    * This exact patch is NOT present in upstream version 1.9.5p2-2
      * The patch is made to address a vulnerability wherein users
        were able to gain information about what directories existed
        that they should not have had access to.
      * Upstream version 1.9.5p2-2 addresses this vulnerability using
        the function sudo_edit_parent_valid in the file src/sudo_edit.c
      * Since the vulnerability is addressed in upstream version
        1.9.5p2-2 it can safely be dropped
  * CVE-2021-3156-1.patch
    * The code from this patch already exitsts in upstream
      version 1.9.5p2-2
  * CVE-2021-3156-2.patch
    * The code from this patch already exitsts in upstream
      version 1.9.5p2-2
  * CVE-2021-3156-3.patch
    * The code from this patch already exitsts in upstream
      version 1.9.5p2-2
  * CVE-2021-3156-4.patch
    * The code from this patch already exitsts in upstream
      version 1.9.5p2-2
  * CVE-2021-3156-5.patch
    * The code from this patch already exitsts in upstream
      version 1.9.5p2-2
  * ineffective_no_root_mailer.patch
    * This exact patch is present in upstream version 1.9.5p2-2
      under the name fix-no-root-mailer.diff

  Changes:
    * Merge from Debian unstable. (LP: #1915307)
      Remaining changes:
      - debian/rules:
        + use dh-autoreconf
      - debian/rules: stop shipping init scripts, as they are no longer
        necessary.
      - debian/rules:
        + compile with --without-lecture --with-tty-tickets --enable-admin-flag
        + install man/man8/sudo_root.8 in both flavours
        + install apport hooks
      - debian/sudo-ldap.dirs, debian/sudo.dirs:
        + add usr/share/apport/package-hooks
      - debian/sudo.pam:
        + Use pam_env to read /etc/environment and /etc/default/locale
          environment files. Reading ~/.pam_environment is not permitted due
          to security reasons.
      - debian/sudoers:
        + also grant admin group sudo access
        + include /snap/bin in the secure_path

  sudo (1.9.5p2-2) unstable; urgency=medium

    * patch from upstream repo to fix NO_ROOT_MAILER

  sudo (1.9.5p2-1) unstable; urgency=high

    * new upstream version, addresses CVE-2021-3156

  sudo (1.9.5p1-1.1) unstable; urgency=high

    * Non-maintainer upload.
    * Heap-based buffer overflow (CVE-2021-3156)
      - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit
      - Add sudoedit flag checks in plugin that are consistent with front-end
      - Fix potential buffer overflow when unescaping backslashes in user_args
      - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL
      - Don't assume that argv is allocated as a single flat buffer

  sudo (1.9.5p1-1) unstable; urgency=medium

    * new upstream version, closes: #980028

  sudo (1.9.5-1) unstable; urgency=medium

    * new upstream version

  sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium

    * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option
      - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER
        in plugins/sudoers/logging.c, plugins/sudoers/policy.c.
      - No CVE number

  sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium

    * SECURITY UPDATE: dir existence issue via sudoedit race
      - debian/patches/CVE-2021-23239.patch: fix potential directory existing
        info leak in sudoedit in src/sudo_edit.c.
      - CVE-2021-23239
    * SECURITY UPDATE: heap-based buffer overflow
      - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to
        MODE_NONINTERACTIVE for sudoedit in src/parse_args.c.
      - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in
        plugin in plugins/sudoers/policy.c.
      - debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow
        when unescaping backslashes in plugins/sudoers/sudoers.c.
      - debian/patches/CVE-2021-3156-4.patch: fix the memset offset when
        converting a v1 timestamp to TS_LOCKEXCL in
        plugins/sudoers/timestamp.c.
      - debian/patches/CVE-2021-3156-5.patch: don't assume that argv is
        allocated as a single flat buffer in src/parse_args.c.
      - CVE-2021-3156

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1915307/+subscriptions

More information about the Ubuntu-sponsors mailing list