CVE-2005-1993
CVSS3.7
发布时间 :2005-06-20 00:00:00
修订时间 :2011-03-07 21:23:12
NMCOPS    

[原文]Race condition in sudo 1.3.1 up to 1.6.8p8, when the ALL pseudo-command is used after a user entry in the sudoers file, allows local users to gain privileges via a symlink attack.


[CNNVD]Todd Miller Sudo本地竞争条件漏洞(CNNVD-200506-193)

        Sudo是一款允许用户以其他用户权限安全的执行命令的程序,广泛使用在Linux和Unix操作系统下。
        Sudo中存在本地竞争条件漏洞,这个漏洞允许拥有Sudo权限的用户执行任意命令。
        用户在通过Sudo运行命令时,会将命令的inode和设备数目与sudoers文件中相同基名(basename)命令的inode和设备数目做比较。如果找到了匹配的话,就将sudoers文件中列出的匹配命令的路径存储在safe_cmnd变量中,然后用于执行命令。由于实际的执行路径来自于sudoers文件而不是直接来自用户,因此Sudo不会受到有关符号链接的竞争条件的影响。但是,如果包含有伪命令ALL的sudoers条目紧随用户的sudoers条目之后的话,就可能用命令行中指定的路径覆盖safe_cmnd的内容,导致竞争条件。
        

- CVSS (基础分值)

CVSS分值: 3.7 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:todd_miller:sudo:1.6.5Todd Miller Sudo 1.6.5
cpe:/a:todd_miller:sudo:1.6.3_p7Todd Miller Sudo 1.6.3 p7
cpe:/a:todd_miller:sudo:1.6.7_p5
cpe:/a:todd_miller:sudo:1.6Todd Miller Sudo 1.6
cpe:/a:todd_miller:sudo:1.6.6Todd Miller Sudo 1.6.6
cpe:/a:todd_miller:sudo:1.6.3_p6
cpe:/a:todd_miller:sudo:1.6.3_p3
cpe:/a:todd_miller:sudo:1.6.3_p2
cpe:/a:todd_miller:sudo:1.6.5_p1
cpe:/a:todd_miller:sudo:1.6.4_p1
cpe:/a:todd_miller:sudo:1.6.1Todd Miller Sudo 1.6.1
cpe:/a:todd_miller:sudo:1.3.1
cpe:/a:todd_miller:sudo:1.5.9
cpe:/a:todd_miller:sudo:1.5.6
cpe:/a:todd_miller:sudo:1.6.3_p5
cpe:/a:todd_miller:sudo:1.6.8_p7
cpe:/a:todd_miller:sudo:1.6.3Todd Miller Sudo 1.6.3
cpe:/a:todd_miller:sudo:1.6.8Todd Miller Sudo 1.6.8
cpe:/a:todd_miller:sudo:1.5.8
cpe:/a:todd_miller:sudo:1.6.8_p8
cpe:/a:todd_miller:sudo:1.6.4Todd Miller Sudo 1.6.4
cpe:/a:todd_miller:sudo:1.6.8_p1
cpe:/a:todd_miller:sudo:1.6.3_p4
cpe:/a:todd_miller:sudo:1.6.7Todd Miller Sudo 1.6.7
cpe:/a:todd_miller:sudo:1.6.4_p2
cpe:/a:todd_miller:sudo:1.6.3_p1
cpe:/a:todd_miller:sudo:1.6.5_p2
cpe:/a:todd_miller:sudo:1.6.2Todd Miller Sudo 1.6.2
cpe:/a:todd_miller:sudo:1.5.7

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1242sudo Symlink Vulnerability
oval:org.mitre.oval:def:11341Race condition in sudo 1.3.1 up to 1.6.8p8, when the ALL pseudo-command is used after a user entry in the sudoers file, allows local users t...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1993
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1993
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200506-193
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/archive/1/402741
(VENDOR_ADVISORY)  BUGTRAQ  20050620 Sudo version 1.6.8p9 now available, fixes security issue.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161116
(UNKNOWN)  CONFIRM  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161116
http://www.vupen.com/english/advisories/2005/2659
(UNKNOWN)  VUPEN  ADV-2005-2659
http://www.vupen.com/english/advisories/2005/0821
(UNKNOWN)  VUPEN  ADV-2005-0821
http://www.securityfocus.com/bid/13993
(UNKNOWN)  BID  13993
http://xforce.iss.net/xforce/xfdb/21080
(UNKNOWN)  XF  sudo-pathname-race-condition(21080)
http://www.sudo.ws/sudo/alerts/path_race.html
(UNKNOWN)  CONFIRM  http://www.sudo.ws/sudo/alerts/path_race.html
http://www.securityfocus.com/bid/15647
(UNKNOWN)  BID  15647
http://www.securityfocus.com/archive/1/archive/1/425974/100/0/threaded
(UNKNOWN)  FEDORA  FLSA:162750
http://www.redhat.com/support/errata/RHSA-2005-535.html
(UNKNOWN)  REDHAT  RHSA-2005:535
http://www.osvdb.org/17396
(UNKNOWN)  OSVDB  17396
http://www.novell.com/linux/security/advisories/2005_36_sudo.html
(UNKNOWN)  SUSE  SUSE-SA:2005:036
http://www.debian.org/security/2005/dsa-735
(UNKNOWN)  DEBIAN  DSA-735
http://secunia.com/advisories/17813
(UNKNOWN)  SECUNIA  17813
http://secunia.com/advisories/15744
(UNKNOWN)  SECUNIA  15744
http://docs.info.apple.com/article.html?artnum=302847
(UNKNOWN)  APPLE  APPLE-SA-2005-11-29

- 漏洞信息

Todd Miller Sudo本地竞争条件漏洞
低危 竞争条件
2005-06-20 00:00:00 2005-10-20 00:00:00
本地  
        Sudo是一款允许用户以其他用户权限安全的执行命令的程序,广泛使用在Linux和Unix操作系统下。
        Sudo中存在本地竞争条件漏洞,这个漏洞允许拥有Sudo权限的用户执行任意命令。
        用户在通过Sudo运行命令时,会将命令的inode和设备数目与sudoers文件中相同基名(basename)命令的inode和设备数目做比较。如果找到了匹配的话,就将sudoers文件中列出的匹配命令的路径存储在safe_cmnd变量中,然后用于执行命令。由于实际的执行路径来自于sudoers文件而不是直接来自用户,因此Sudo不会受到有关符号链接的竞争条件的影响。但是,如果包含有伪命令ALL的sudoers条目紧随用户的sudoers条目之后的话,就可能用命令行中指定的路径覆盖safe_cmnd的内容,导致竞争条件。
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/018_sudo.patch
        OpenBSD Patch 003_sudo.patch
        ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/003_sudo.patch
        http://www.sudo.ws/sudo/dist/sudo-1.6.8p9.tar.gz

- 漏洞信息 (F42016)

Apple Security Advisory 2005-11-29 (PacketStormID:F42016)
2005-12-02 00:00:00
Apple  apple.com
advisory,vulnerability
apple
CVE-2005-2088,CVE-2005-2700,CVE-2005-2757,CVE-2005-3185,CVE-2005-3700,CVE-2005-2969,CVE-2005-3701,CVE-2005-2491,CVE-2005-3702,CVE-2005-3703,CVE-2005-3705,CVE-2005-1993,CVE-2005-3704
[点击下载]

Apple Security Advisory - Apple has released a security update which addresses over a dozen vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2005-11-29 Security Update 2005-009

Security Update 2005-009 is now available and delivers the following
security enhancements:

Apache2
CVE-ID:  CVE-2005-2088
Available for:  Mac OS X Server v10.3.9, Mac OS X Server v10.4.3
Impact:  Cross-site scripting may be possible in certain
configurations
Description:  The Apache 2 web server may allow an attacker to bypass
protections using specially-crafted HTTP headers.  This behavior is
only present when Apache is used in conjunction with certain proxy
servers, caching servers, or web application firewalls.  This update
addresses the issue by incorporating Apache version 2.0.55.

apache_mod_ssl
CVE-ID:  CVE-2005-2700
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.3, Mac OS X Server v10.4.3
Impact:  SSL client authentication may be bypassed in certain
configurations
Description:  The Apache web server's mod_ssl module may allow an
attacker unauthorized access to a resource that is configured to
require SSL client authentication.  Only Apache configurations that
include the "SSLVerifyClient require" directive may be affected.
This update address the issue by incorporating mod_ssl 2.8.24 and
Apache version 2.0.55 (Mac OS X Server).

CoreFoundation
CVE-ID:  CVE-2005-2757
Available for:  Mac OS X v10.4.3, Mac OS X Server v10.4.3
Impact:  Resolving a maliciously-crafted URL may result in crashes or
arbitrary code execution
Description:  By carefully crafting a URL, an attacker can trigger a
heap buffer overflow in CoreFoundation which may result in a crash or
arbitrary code execution.  CoreFoundation is used by Safari and other
applications.  This update addresses the issue by performing
additional validation of URLs.  This issue does not affect systems
prior to Mac OS X v10.4.

curl
CVE-ID:  CVE-2005-3185
Available for:  Mac OS X v10.4.3, Mac OS X Server v10.4.3
Impact:  Visiting a malicious HTTP server and using NTLM
authentication may result in arbitrary code execution
Description:  Using curl with NTLM authentication enabled to download
an HTTP resource may allow an attacker to supply an overlong user or
domain name.  This may cause a stack buffer overflow and lead to
arbitrary code execution.  This update addresses the issue by
performing additional validation when using NTLM authentication.
This issue does not affect systems prior to Mac OS X v10.4.

iodbcadmintool
CVE-ID:  CVE-2005-3700
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.3, Mac OS X Server v10.4.3
Impact:  Local users may gain elevated privileges
Description:  The ODBC Administrator utility includes a helper tool
called iodbcadmintool that executes with raised privileges.  This
helper tool contains a vulnerability that may allow local users to
execute arbitrary commands with raised privileges.  This update
addresses the issue by providing an updated iodbcadmintool that is
not susceptible.

OpenSSL
CVE-ID:  CVE-2005-2969
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.3, Mac OS X Server v10.4.3
Impact:  Applications using OpenSSL may be forced to use the weaker
SSLv2 protocol
Description:  Applications that do not disable SSLv2 or that enable
certain compatibility options when using OpenSSL may be vulnerable to
a protocol downgrade attack.  Such attacks may cause an SSL
connection to use the SSLv2 protocol which provides less protection
than SSLv3 or TLS.  Further information on this issue is available at
http://www.openssl.org/news/secadv_20051011.txt.  This update
addresses the issue by incorporating OpenSSL version 0.9.7i.

passwordserver
CVE-ID:  CVE-2005-3701
Available for:  Mac OS X Server v10.3.9, Mac OS X Server v10.4.3
Impact:  Local users on Open Directory master servers may gain
elevated privileges
Description:  When creating an Open Directory master server,
credentials may be compromised.  This could lead to unprivileged
local users gaining elevated privileges on the server.  This update
addresses the issue by ensuring the credentials are protected.

Safari
CVE-ID:  CVE-2005-2491
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.3, Mac OS X Server v10.4.3
Impact:  Processing a regular expressions may result in arbitrary
code execution
Description:  The JavaScript engine in Safari uses a version of the
PCRE library that is vulnerable to a potentially exploitable heap
overflow.  This may lead to the execution of arbitrary code.  This
update addresses the issue by providing a new version of the
JavaScript engine that incorporates more robust input validation.

Safari
CVE-ID:  CVE-2005-3702
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.3, Mac OS X Server v10.4.3
Impact:  Safari may download files outside of the designated download
directory
Description:  When files are downloaded in Safari they are normally
placed in the location specified as the download directory.  However,
if a web site suggests an overlong filename for a download, it is
possible for Safari to create this file in other locations.  Although
the filename and location of the downloaded file content cannot be
directly specified by remote servers, this may still lead to
downloading content into locations accessible to other users.  This
update addresses the issue by rejecting overlong filenames.

Safari
CVE-ID:  CVE-2005-3703
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.3, Mac OS X Server v10.4.3
Impact:  JavaScript dialog boxes in Safari may be misleading
Description:  In Safari, JavaScript dialog boxes do not indicate the
web site that created them.  This could mislead users into
unintentionally disclosing information to a web site.  This update
addresses the issue by displaying the originating site name in
JavaScript dialog boxes.  Credit to Jakob Balle of Secunia Research
for reporting this issue.

Safari
CVE-ID:  CVE-2005-3705
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.3, Mac OS X Server v10.4.3
Impact:  Visiting malicious web sites with WebKit-based applications
may lead to arbitrary code execution
Description:  WebKit contains a heap overflow that may lead to the
execution of arbitrary code.  This may be triggered by content
downloaded from malicious web sites in applications that use WebKit
such as Safari.  This update addresses the issue by removing the heap
overflow from WebKit.  Credit to Neil Archibald of Suresec LTD and
Marco Mella for reporting this issue.

sudo
CVE-ID:  CVE-2005-1993
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.3, Mac OS X Server v10.4.3
Impact:  Local users may be able to gain elevated privileges in
certain sudo configurations
Description:  Sudo allows system administrators to grant users the
ability to run specific commands with elevated privileges.  Although
the default configuration is not vulnerable to this issue, custom
sudo configurations may not properly restrict users.  Further
information on this issue is available from:
http://www.sudo.ws/sudo/alerts/path_race.html
This update addresses the issue by incorporating sudo version
1.6.8p9.

syslog
CVE-ID:  CVE-2005-3704
Available for:  Mac OS X v10.4.3, Mac OS X Server v10.4.3
Impact:  System log entries may be forged
Description:  The system log server records syslog messages verbatim.
By supplying control characters such as the newline character, a
local attacker could forge entries with the intention to mislead the
system administrator.  This update addresses the issue by specially
handling control characters and other non-printable characters.  This
issue does not affect systems prior to Mac OS X v10.4.  Credit to
HELIOS Software GmbH for reporting this issue.

Additional Information

Also included in this update are enhancements to Safari to improve
handling of credit card security codes (Mac OS X v10.3.9 and Mac OS X
v10.4.3), CoreTypes to improve handling of Terminal files (Mac OS X
v10.4.3), QuickDraw Manager to improve rendering of PICT files (Mac
OS X v10.3.9), documentation regarding OpenSSH and PAM (Mac OS X
v10.4.3), and ServerMigration to remove unneeded privileges.

Security Update 2005-009 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.4.3
The download file is named:  "SecUpd2005-009Ti.dmg"
Its SHA-1 digest is:  544f51a7bc73a57dbca95e05693904aadb2f94b1

For Mac OS X Server v10.4.3
The download file is named:  "SecUpdSrvr2005-009Ti.dmg"
Its SHA-1 digest is:  b7620426151b8f1073c9ff73b2adf43b3086cc60

For Mac OS X v10.3.9
The download file is named:  "SecUpd2005-009Pan.dmg"
Its SHA-1 digest is:  ea17ad7852b3e6277f53c2863e51695ac7018650

For Mac OS X Server v10.3.9
The download file is named:  "SecUpdSrvr2005-009Pan.dmg"
Its SHA-1 digest is:  b03711729697ea8e6b683eb983343f2f3de3af13

Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.1 (Build 2185)

iQEVAwUBQ4zotIHaV5ucd/HdAQJiPAf/S7bsLZk3R7I8FBidCKQ/bxSxjhTFx8sK
vqsVFNDsXzv+tEa3IP58D8lI8lF94o+50p59qaPWxHzl4HxPVKlH4YCiBesYmVRp
FcGo0qbzj5wJzdWADPV+I8O+/CR5k8J35PuKDIzPabnO67nxoXc/DF6go50e5Hr9
Yqs2477ufq0ANd8wG9dF5pfcYwD8KRLfOmfJ9ZVhbG8Up0uO4JH71cTQZIFcKkYf
g6N9SCnqx5JqCwsRx85a8WuY1x97K3zqP53/bt4Wzi76VaaSaYj01nVywworTik4
YzOWOckJmWU9+66iby9mKY2mzz+u/vwtiMp577yT4y9FiSg6yp7mWQ==
=jnz9
-----END PGP SIGNATURE-----
   
    

- 漏洞信息 (F38395)

Debian Linux Security Advisory 735-1 (PacketStormID:F38395)
2005-07-01 00:00:00
Debian  security.debian.org
advisory,arbitrary,local
linux,debian
CVE-2005-1993
[点击下载]

Debian Security Advisory DSA 735-1 - A local user who has been granted permission to run commands via sudo could run arbitrary commands as a privileged user due to a flaw in sudo's pathname validation.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory 735-1                       security@debian.org
http://www.debian.org/security/                            Michael Stone
July 01, 2005                         http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : sudo
Vulnerability  : pathname validation race
Problem type   : local
Debian-specific: no
CVE Id(s)      : CAN-2005-1993
Debian Bug     : 315115

A local user who has been granted permission to run commands via sudo
could run arbitrary commands as a privileged user due to a flaw in
sudo's pathname validation. This bug only affects configurations which
have restricted user configurations prior to an ALL directive in the
configuration file. A workaround is to move any ALL directives to the
beginning of the sudoers file; see the advisory at
http://www.sudo.ws/sudo/alerts/path_race.html for more information.

For the old stable Debian distribution (woody), this problem has been
fixed in version 1.6.6-1.3woody1. For the current stable distribution
(sarge), this problem has been fixed in version 1.6.8p7-1.1sarge1. Note
that packages are not yet ready for certain architectures; these will be
released as they become available.

We recommend that you upgrade your sudo package.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian 3.0 (woody)
- ------------------

  woody was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.

  Source archives:

    http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6.orig.tar.gz
      Size/MD5 checksum:   333074 4da4bf6cf31634cc7a17ec3b69fdc333
    http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.3woody1.dsc
      Size/MD5 checksum:      663 9d642dfebcaa64925b0dc8222fdef8fb
    http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.3woody1.diff.gz
      Size/MD5 checksum:    32343 4e6a3617874f1a947073adbe8f5a8bd7

  alpha architecture (DEC Alpha)

    http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.3woody1_alpha.deb
      Size/MD5 checksum:   150074 adfd1c1e51dbe1dc66d5929c38035753

  hppa architecture (HP PA RISC)

    http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.3woody1_hppa.deb
      Size/MD5 checksum:   145954 62d30eb38b9605b3aeee404d7df6ad67

  i386 architecture (Intel ia32)

    http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.3woody1_i386.deb
      Size/MD5 checksum:   133990 cbeaf7f9f666dcd118b3e6a5aff980c5

  m68k architecture (Motorola Mc680x0)

    http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.3woody1_m68k.deb
      Size/MD5 checksum:   131568 0c43529165c66b41b1afee8a5fcab94c

  mips architecture (MIPS (Big Endian))

    http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.3woody1_mips.deb
      Size/MD5 checksum:   142726 fdd7c5c36fc97e6d43bd38c389eb6661

  mipsel architecture (MIPS (Little Endian))

    http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.3woody1_mipsel.deb
      Size/MD5 checksum:   142672 b569048607197ae6d1a6bda1b8678b28

  powerpc architecture (PowerPC)

    http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.3woody1_powerpc.deb
      Size/MD5 checksum:   139220 89f8dba75e485aa186892b7ff8cae0a9

  s390 architecture (IBM S/390)

    http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.3woody1_s390.deb
      Size/MD5 checksum:   138806 4ce4d39f104be67c037df435b2fbfcfa

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.3woody1_sparc.deb
      Size/MD5 checksum:   141510 d09ac30ed8b11148616094bc11f6ff89

Debian 3.1 (sarge)
- ------------------

  sarge was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.

  Source archives:

    http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.1sarge1.dsc
      Size/MD5 checksum:      647 727b653bb76115569d23a447b0886526
    http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.1sarge1.diff.gz
      Size/MD5 checksum:    22106 534fb1a1ed826d19585a210830b1b3e8
    http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7.orig.tar.gz
      Size/MD5 checksum:   585302 ad65d24f20c736597360d242515e412c

  alpha architecture (DEC Alpha)

    http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.1sarge1_alpha.deb
      Size/MD5 checksum:   176226 9e39a081bcfb34bcc51b26d9a741cdcb

  hppa architecture (HP PA RISC)

    http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.1sarge1_hppa.deb
      Size/MD5 checksum:   170318 3f2cdd1fa837bfe741e2a00c2c7998ff

  i386 architecture (Intel ia32)

    http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.1sarge1_i386.deb
      Size/MD5 checksum:   159542 31bf940fb0e3efcfc3b6dd7a8d6183b7

  ia64 architecture (Intel ia64)

    http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.1sarge1_ia64.deb
      Size/MD5 checksum:   194802 2f256e875cd8af6341e9d9e70f6d594e

  m68k architecture (Motorola Mc680x0)

    http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.1sarge1_m68k.deb
      Size/MD5 checksum:   154864 c7bf16b5de02b5dc53de79b050d4b610

  mips architecture (MIPS (Big Endian))

    http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.1sarge1_mips.deb
      Size/MD5 checksum:   168270 950106a439c05ba869fab23e5173c0d6

  mipsel architecture (MIPS (Little Endian))

    http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.1sarge1_mipsel.deb
      Size/MD5 checksum:   168074 142d0e2675335cc3db32017057ae4fab

  powerpc architecture (PowerPC)

    http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.1sarge1_powerpc.deb
      Size/MD5 checksum:   164932 eb71691a92c039e51c8af2838d1b66cf

  s390 architecture (IBM S/390)

    http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.1sarge1_s390.deb
      Size/MD5 checksum:   167808 5a3b22d227258306b36e9e925e4a36b0

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.1sarge1_sparc.deb
      Size/MD5 checksum:   162398 759a6f3d0facda5ca05037f40a4c0c64

- -------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iQCVAwUBQsSdaA0hVr09l8FJAQJeIwP/RsNnnkEEwvGv8JTvXBg/UfLQhrIxog7b
T3pnGKwM1RajhQSsSipmZG43JkTRsKt4N3PtWLNup8+pIi03u8trMMKYcbQEU3ol
XJ5B/+QdOEL/iuUfkpREnrTxfomTN8cbWDoW+yf67AEFGbB6bsInKCO/IPFvIyLE
q/Jnf4yX2Wg=
=Npjy
-----END PGP SIGNATURE-----

    

- 漏洞信息

17396
sudo sudoers ALL Entry Race Condition
Local Access Required Race Condition
Loss of Integrity Workaround, Patch / RCS
Exploit Public Vendor Verified, Vendor Verified, Third-party Verified, Coordinated Disclosure

- 漏洞描述

sudo contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue can be triggered by a user who already has some kind of sudo access, and they can leverage sudo to run arbitrary commands as other users. This flaw will most likely lead to a root compromise.

- 时间线

2005-06-21 2004-01-01
2005-07-05 2005-06-21

- 解决方案

Upgrade to version 1.6.8 patchlevel 9 or higher, as it has been reported to fix this vulnerability. A workaround can be achieved if care is taken in the order of the lines in the sudoers file. Entries with ALL should come after all other entries.

- 相关参考

- 漏洞作者

- 漏洞信息

Todd Miller Sudo Local Race Condition Vulnerability
Race Condition Error 13993
No Yes
2005-06-20 12:00:00 2008-05-06 01:45:00
Discovery of this issue is credited to Charles Morris.

- 受影响的程序版本

Turbolinux Turbolinux Workstation 8.0
Turbolinux Turbolinux Workstation 7.0
Turbolinux Turbolinux Server 10.0
Turbolinux Turbolinux Server 8.0
Turbolinux Turbolinux Server 7.0
Turbolinux Turbolinux Desktop 10.0
Turbolinux Turbolinux 10 F...
Turbolinux Home
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Enterprise Linux 2.0
Todd Miller Sudo 1.6.8 p8
+ OpenPKG OpenPKG 2.4
+ OpenPKG OpenPKG Current
+ Red Hat Fedora Core4
Todd Miller Sudo 1.6.8 p7
Todd Miller Sudo 1.6.8 p5
+ Ubuntu Ubuntu Linux 5.0 4 powerpc
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 amd64
Todd Miller Sudo 1.6.8 p1
Todd Miller Sudo 1.6.8
Todd Miller Sudo 1.6.7 p5
+ Conectiva Linux 10.0
+ Conectiva Linux 9.0
+ MandrakeSoft Corporate Server 3.0 x86_64
+ MandrakeSoft Corporate Server 3.0
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ OpenPKG OpenPKG 2.1
+ Red Hat Fedora Core3
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Todd Miller Sudo 1.6.7
Todd Miller Sudo 1.6.6
Todd Miller Sudo 1.6.5 p2
+ NetBSD NetBSD 1.5.2
+ OpenBSD OpenBSD 3.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 alpha
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
Todd Miller Sudo 1.6.5 p1
+ Slackware Linux 8.0
Todd Miller Sudo 1.6.5
Todd Miller Sudo 1.6.4 p2
Todd Miller Sudo 1.6.4 p1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Conectiva Linux graficas
+ Conectiva Linux ecommerce
Todd Miller Sudo 1.6.4
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 alpha
Todd Miller Sudo 1.6.3 p7
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3
+ Slackware Linux 8.0
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
Todd Miller Sudo 1.6.3 p6
Todd Miller Sudo 1.6.3 p5
Todd Miller Sudo 1.6.3 p4
+ Slackware Linux 7.1
Todd Miller Sudo 1.6.3 p3
Todd Miller Sudo 1.6.3 p2
Todd Miller Sudo 1.6.3 p1
Todd Miller Sudo 1.6.3
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
Todd Miller Sudo 1.6.2
- Debian Linux 2.2
Todd Miller Sudo 1.6.1
Todd Miller Sudo 1.6
Todd Miller Sudo 1.5.9
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 i386
+ S.u.S.E. Linux 6.4
Todd Miller Sudo 1.5.8
Todd Miller Sudo 1.5.7
Todd Miller Sudo 1.5.6
Slackware Linux 10.1
Slackware Linux 10.0
Slackware Linux 9.1
Slackware Linux 9.0
Slackware Linux 8.1
Slackware Linux -current
SGI ProPack 3.0 SP6
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 9.0 x86_64
S.u.S.E. Linux Professional 9.0
S.u.S.E. Linux Professional 8.2
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
RedHat Linux 9.0 i386
RedHat Linux 7.3 i686
RedHat Linux 7.3 i386
RedHat Linux 7.3
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Desktop 4.0
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Fedora Core2
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
OpenBSD OpenBSD 3.7
OpenBSD OpenBSD 3.6
Gentoo Linux
Apple Mac OS X Server 10.4.3
Apple Mac OS X Server 10.4.2
Apple Mac OS X Server 10.4.1
Apple Mac OS X Server 10.4
Apple Mac OS X Server 10.3.9
Apple Mac OS X Server 10.3.8
Apple Mac OS X Server 10.3.7
Apple Mac OS X Server 10.3.6
Apple Mac OS X Server 10.3.5
Apple Mac OS X Server 10.3.4
Apple Mac OS X Server 10.3.3
Apple Mac OS X Server 10.3.2
Apple Mac OS X Server 10.3.1
Apple Mac OS X Server 10.3
Apple Mac OS X 10.4.3
Apple Mac OS X 10.4.2
Apple Mac OS X 10.4.1
Apple Mac OS X 10.4
Apple Mac OS X 10.3.9
Apple Mac OS X 10.3.8
Apple Mac OS X 10.3.7
Apple Mac OS X 10.3.6
Apple Mac OS X 10.3.5
Apple Mac OS X 10.3.4
Apple Mac OS X 10.3.3
Apple Mac OS X 10.3.2
Apple Mac OS X 10.3.1
Apple Mac OS X 10.3
Todd Miller Sudo 1.6.8 p9

- 不受影响的程序版本

Todd Miller Sudo 1.6.8 p9

- 漏洞讨论

Sudo is prone to a local race-condition vulnerability. The issue manifests itself only under certain conditions, specifically, when the 'sudoers' configuration file contains a pseudo-command 'ALL' that directly follows a user's 'sudoers' entry.

When such a configuration exists, local attackers may leverage this issue to execute arbitrary executables with escalated privileges. Attackers may achieve this by creating symbolic links to target files.

- 漏洞利用

No exploit is required. An exploit by '__blf', is available:

- 解决方案

Please see the referenced vendor advisories for details on obtaining and applying fixes.


OpenBSD OpenBSD 3.7

OpenBSD OpenBSD 3.6

Todd Miller Sudo 1.5.7

Todd Miller Sudo 1.5.8

Todd Miller Sudo 1.5.9

Todd Miller Sudo 1.6

Todd Miller Sudo 1.6.1

Todd Miller Sudo 1.6.2

Todd Miller Sudo 1.6.3

Todd Miller Sudo 1.6.3 p1

Todd Miller Sudo 1.6.3 p5

Todd Miller Sudo 1.6.3 p4

Todd Miller Sudo 1.6.3 p7

Todd Miller Sudo 1.6.4 p2

Todd Miller Sudo 1.6.4 p1

Todd Miller Sudo 1.6.4

Todd Miller Sudo 1.6.5 p2

Todd Miller Sudo 1.6.5 p1

Todd Miller Sudo 1.6.7 p5

Todd Miller Sudo 1.6.8 p5

Todd Miller Sudo 1.6.8

Todd Miller Sudo 1.6.8 p8

Apple Mac OS X 10.3

Apple Mac OS X Server 10.3.1

Apple Mac OS X 10.3.1

Apple Mac OS X 10.3.2

Apple Mac OS X Server 10.3.2

Apple Mac OS X 10.3.3

Apple Mac OS X Server 10.3.4

Apple Mac OS X Server 10.3.5

Apple Mac OS X 10.3.5

Apple Mac OS X Server 10.3.6

Apple Mac OS X 10.3.8

Apple Mac OS X Server 10.3.8

Apple Mac OS X Server 10.3.9

Apple Mac OS X 10.4

Apple Mac OS X 10.4.2

Apple Mac OS X Server 10.4.3

Apple Mac OS X 10.4.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站