From Todd.Miller at courtesan.com  Sat Feb 20 08:43:04 2010
From: Todd.Miller at courtesan.com (Todd C. Miller)
Date: Sat, 20 Feb 2010 08:43:04 -0500
Subject: [sudo-announce] sudo 1.7.2p3 released
Message-ID: <201002201343.o1KDh4ao002669@core.courtesan.com>

Sudo version 1.7.2p3 is now available.  This is a bug fix release.

Download links:
    http://www.sudo.ws/sudo/dist/sudo-1.7.2p3.tar.gz
    ftp://ftp.sudo.ws/pub/sudo/sudo-1.7.2p3.tar.gz

For a list of download mirror sites, see:
    http://www.sudo.ws/sudo/download.html

Sudo web site:
    http://www.sudo.ws/sudo/

Sudo web site mirrors:
    http://www.sudo.ws/sudo/mirrors.html

Major changes between sudo 1.7.2p2 and 1.7.2p3:

 * Fix printing of entries with multiple host entries on a single line.

 * Fix use after free when sending error messages via email.

 * Use setrlimit64(), if available, instead of setrlimit() when
   setting AIX resource limits since rlim_t is 32bits.

 * Fix size arg when realloc()ing include stack.

 * Avoid a duplicate fclose() of the sudoers file.

Major changes between sudo 1.7.2p1 and 1.7.2p2:

 * Fixed a a bug where the negation operator in a Cmnd_List
   was not being honored.

 * Sudo no longer produces a parse error when #includedir references
   a directory that contains no valid filenames.

 * The sudo.man.pl and sudoers.man.pl files are now included in
   the distribution for people who wish to regenerate the man pages.

 * Fixed the emulation of krb5_get_init_creds_opt_alloc() for MIT kerberos.

 * When authenticating via PAM, set PAM_RUSER and PAM_RHOST early so
   they can be used during authentication.

Major changes between sudo 1.7.2 and 1.7.2p1:

 * Fixed the expansion of the %h escape in #include file names
   introduced in sudo 1.7.1.

Major changes between sudo 1.7.1 and 1.7.2:

 * A new #includedir directive is available in sudoers.  This can be
   used to implement an /etc/sudo.d directory.  Files in an includedir
   are not edited by visudo unless they contain a syntax error.

 * The -g option did not work properly when only setting the group
   (and not the user).  Also, in -l mode the wrong user was displayed
   for sudoers entries where only the group was allowed to be set.

 * Fixed a problem with the alias checking in visudo which
   could prevent visudo from exiting.

 * Sudo will now correctly parse the shell-style /etc/environment
   file format used by pam_env on Linux.

 * When doing password and group database lookups, sudo will only
   cache an entry by name or by id, depending on how the entry was
   looked up.  Previously, sudo would cache by both name and id
   from a single lookup, but this breaks sites that have multiple
   password or group database names that map to the same uid or
   gid.

 * User and group names in sudoers may now be enclosed in double
   quotes to avoid having to escape special characters.

 * BSM audit fixes when changing to a non-root uid.

 * Experimental non-Unix group support.  Currently only works with
   Quest Authorization Services and allows Active Directory groups
   fixes for Minix-3.

 * For Netscape/Mozilla-derived LDAP SDKs the certificate and key
   paths may be specified as a directory or a file.  However, version
   5.0 of the SDK only appears to support using a directory (despite
   documentation to the contrary).  If SSL client initialization
   fails and the certificate or key paths look like they could be
   default file name, strip off the last path element and try again.

 * A setenv() compatibility fix for Linux systems, where a NULL
   value is treated the same as an empty string and the variable
   name is checked against the NULL pointer.


From Todd.Miller at courtesan.com  Thu Feb 25 07:28:06 2010
From: Todd.Miller at courtesan.com (Todd C. Miller)
Date: Thu, 25 Feb 2010 07:28:06 -0500
Subject: [sudo-announce] Privilege escalation bug with sudoedit
Message-ID: <201002251228.o1PCS6Xg010710@core.courtesan.com>

Sudo versions 1.7.2p4 and 1.6.9p21 are now available.  These releases
fix a privilege escalation bug in the sudoedit functionality.

Summary:
    A flaw in exists in sudo's -e option (aka sudoedit) in sudo
    versions 1.6.9 through 1.7.2p3 that may give a user with
    permission to run sudoedit the ability to run arbitrary commands.

Sudo versions affected:
    1.6.9 through 1.7.2p3 inclusive.

Download links:
    http://www.sudo.ws/sudo/dist/sudo-1.7.2p4.tar.gz
    ftp://ftp.sudo.ws/pub/sudo/sudo-1.7.2p4.tar.gz
    http://www.sudo.ws/sudo/dist/sudo-1.6.9p21.tar.gz
    ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.9p21.tar.gz

Details:
    When sudo performs its command matching, there is a special
    case for pseudo-commands in the sudoers file (currently, the
    only pseudo-command is sudoedit).  Unlike a regular command,
    pseudo-commands do not begin with a slash ('/').

    The flaw is that sudo's the matching code would only check
    against the list of pseudo-commands if the user-specified command
    also contained no slashes.  As a result, if the user ran "sudo
    ./sudoedit" the normal matching code path was followed, which
    uses stat(2) to verify that the user-specified command matches
    the one in sudoers.  In this case, it would compare the
    "./sudoedit" specified by the user with "sudoedit" from the
    sudoers file, resulting in a positive match.

Impact:
    Exploitation of the bug requires that the sudoers file be
    configured to allow the attacker to run sudoedit.  If no users
    have been granted access to sudoedit there is no impact.

    Successful exploitation of the bug will allow a user to run
    arbitrary commands for whichever user they have permission to
    run sudoedit as, typically root.

Credit:
    This problem was brought to my attention by Glenn Waller and
    neonsignal.

See Also:
    http://www.sudo.ws/sudo/alerts/sudoedit_escalate.html