-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0009 Title: Sudo format string vulnerability [1] Version history: 31.01.2012 Initial publication Summary ================ A flaw exists in the debugging code in sudo versions 1.8.0 through 1.8.3p1 that can be used to crash sudo or potentially allow an unauthorized user to elevate privileges to root [1]. Exploitation of the bug does not require that the attacker be listed in the sudoers file. Vendor strongly suggests that affected sites upgrade from affected sudo versions as soon as possible. CVSS v2 Base Score: 6.8 (Medium) (AV:L/AC:L/Au:S/C:C/I:C/A:C) [2] Remote: No Credibility: Vendor Confirmed Complexity: Low Vulnerable systems ================== sudo versions 1.8.0 through 1.8.3p1 Original Details ================ Sudo 1.8.0 introduced simple debugging support that was primarily intended for use when developing policy or I/O logging plugins. The sudo_debug() function contains a flaw where the program name is used as part of the format string passed to the fprintf() function. The program name can be controlled by the caller, either via a symbolic link or, on some systems, by setting argv[0] when executing sudo. What can you do? ================ Affected users should upgrade to sudo 1.8.3p2. Please refer to your vendor, Linux distributor, etc. for an update of your flavour of the software. Workarounds: On systems that support FORTIFY_SOURCE (most Linux and NetBSD), adding -D_FORTIFY_SOURCE=2 to the OSDEFS line in src/Makfile and then rebuilding sudo will prevent the bug from being exploited. What to tell your users? ======================== N/A More information ================ [1] http://www.sudo.ws/sudo/alerts/sudo_debug.html [2] Information about CVSS: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJPJ/uJOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4MEsxAAmsqLZg8z qKqZ64FN0G5bVAfc3WXpYVP4PtlVOHXyXqA7pZOVDZNlWtgl7kC2qkcrgJbFiiDE MivVQZvjXzkdHhPSbAhdq9HS55p+nkO3PkKA/PIZGclITBRdtSem7XkfjNRCN7l8 AjTGy32heigHAJrnvD8dT1/39Y5GXqIxf+dwvP73kY1mq36i4Hg+4LXLxwpSUCU/ OM2OX+93A59MaEWAfh0axs9ozqQAcN5Lx2nZ/S4gsfRS6MBv9K3Zrr0zq4vz+DuG OnIeCLPK+g0JD5XfixBmulpOrqeHaWiwBy0RJpogkEsczqjileyH8WWYwxxUpTz/ RZi5+W2yA6rOW9xoPWUWjQLGxIDbHNgKutQ/esTWVdHHXVciBoQF466pWW+EpqK9 3tNOT2KNvVW0JaxoBwsEet4z/WM26z6aAo3EeuTLyU+BowOS+TSWJT0quFKCp1HH uRgYRZdb2h676TVZaJEc91noCckNttWa8wz3Bs973E4QAtX4jhxM3xt4QG/7MN1+ 7OilrupohmASygoUChVMkTNtfLBbNeGbeHWcNrfNXxdHFTIkZoOvZdlthU1tk078 M6Nk9M4bovlivTb38YRbuabQswuo7vGwUsfgRlLUzh9j8iOxywsiiDtOwwW9O/C5 EBnX9UbbNDJpar+cvxMu+QUbyqMyh0UwngM= =yq4v -----END PGP SIGNATURE-----