aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authortmclaugh <tmclaugh@FreeBSD.org>2009-02-07 03:35:46 +0800
committertmclaugh <tmclaugh@FreeBSD.org>2009-02-07 03:35:46 +0800
commit41132f4e0dc20f739593b13e05542e3886d2d477 (patch)
treedcce5907278d55510876b7f5c5cb4ea0d53bf853
parentf3c56cd397fabb9902dd5d19432eea064a918b39 (diff)
downloadfreebsd-ports-gnome-41132f4e0dc20f739593b13e05542e3886d2d477.tar.gz
freebsd-ports-gnome-41132f4e0dc20f739593b13e05542e3886d2d477.tar.zst
freebsd-ports-gnome-41132f4e0dc20f739593b13e05542e3886d2d477.zip
Security update for sudo to 1.6.9p20 for CVE 2009-0034
Changes: - Only use the cached supplementory group vector when matching groups for the invoking user. (security) - When setting the umask, use the union of the user's umask and the default value set in sudoers so that we never lower the user's umask when running a command. - Sudo now operates in the C locale again when doing a match against sudoers. PR: 131446 Submitted by: Eygene Ryabinkin Security: vid:13d6d997-f455-11dd-8516-001b77d09812
-rw-r--r--security/sudo/Makefile4
-rw-r--r--security/sudo/distinfo6
-rw-r--r--security/vuxml/vuln.xml32
3 files changed, 37 insertions, 5 deletions
diff --git a/security/sudo/Makefile b/security/sudo/Makefile
index 735785cc34a7..77c2a28c26e8 100644
--- a/security/sudo/Makefile
+++ b/security/sudo/Makefile
@@ -6,7 +6,7 @@
#
PORTNAME= sudo
-PORTVERSION= 1.6.9.17
+PORTVERSION= 1.6.9.20
CATEGORIES= security
MASTER_SITES= http://www.sudo.ws/sudo/dist/ \
ftp://obsd.isc.org/pub/sudo/ \
@@ -16,7 +16,7 @@ MASTER_SITES= http://www.sudo.ws/sudo/dist/ \
ftp://ftp.wiretapped.net/pub/security/host-security/sudo/ \
${MASTER_SITE_LOCAL}
MASTER_SITE_SUBDIR= tmclaugh/sudo
-DISTNAME= ${PORTNAME}-1.6.9p17
+DISTNAME= ${PORTNAME}-1.6.9p20
MAINTAINER= tmclaugh@FreeBSD.org
COMMENT= Allow others to run commands as root
diff --git a/security/sudo/distinfo b/security/sudo/distinfo
index dfc778cc96f3..9103e9de47bb 100644
--- a/security/sudo/distinfo
+++ b/security/sudo/distinfo
@@ -1,3 +1,3 @@
-MD5 (sudo-1.6.9p17.tar.gz) = 60daf18f28e2c1eb7641c4408e244110
-SHA256 (sudo-1.6.9p17.tar.gz) = 1e2cd4ff684c6f542b7e392010021f36b201d074620dad4d7689da60f9c74596
-SIZE (sudo-1.6.9p17.tar.gz) = 593534
+MD5 (sudo-1.6.9p20.tar.gz) = cd1caee0227641968d63d06845dea70a
+SHA256 (sudo-1.6.9p20.tar.gz) = 1197bd5f2087c13a3837e1c4da250f7db2a86f843bf00f2b3568f6410239ac7b
+SIZE (sudo-1.6.9p20.tar.gz) = 596009
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index 4c9dc5382da9..45fde1086685 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -34,6 +34,38 @@ Note: Please add new entries to the beginning of this file.
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="13d6d997-f455-11dd-8516-001b77d09812">
+ <topic>sudo -- certain authorized users could run commands as any user</topic>
+ <affects>
+ <package>
+ <name>sudo</name>
+ <range><ge>1.6.9</ge><lt>1.6.9.20</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Todd Miller reports:</p>
+ <blockquote
+ cite="http://www.gratisoft.us/pipermail/sudo-announce/2009-February/000085.html">
+ <p>A bug was introduced in Sudo's group matching code in
+ version 1.6.9 when support for matching based on the
+ supplemental group vector was added. This bug may allow
+ certain users listed in the sudoers file to run a command as a
+ different user than their access rule specifies.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <mlist msgid="200902041802.n14I2llS024155@core.courtesan.com">http://www.gratisoft.us/pipermail/sudo-announce/2009-February/000085.html</mlist>
+ <cvename>CVE-2009-0034</cvename>
+ <bid>33517</bid>
+ </references>
+ <dates>
+ <discovery>2009-02-04</discovery>
+ <entry>2009-02-06</entry>
+ </dates>
+ </vuln>
+
<vuln vid="6d85dc62-f2bd-11dd-9f55-0030843d3802">
<topic>drupal -- multiple vulnerabilities</topic>
<affects>