diff options
author | tmclaugh <tmclaugh@FreeBSD.org> | 2009-02-07 03:35:46 +0800 |
---|---|---|
committer | tmclaugh <tmclaugh@FreeBSD.org> | 2009-02-07 03:35:46 +0800 |
commit | 41132f4e0dc20f739593b13e05542e3886d2d477 (patch) | |
tree | dcce5907278d55510876b7f5c5cb4ea0d53bf853 | |
parent | f3c56cd397fabb9902dd5d19432eea064a918b39 (diff) | |
download | freebsd-ports-gnome-41132f4e0dc20f739593b13e05542e3886d2d477.tar.gz freebsd-ports-gnome-41132f4e0dc20f739593b13e05542e3886d2d477.tar.zst freebsd-ports-gnome-41132f4e0dc20f739593b13e05542e3886d2d477.zip |
Security update for sudo to 1.6.9p20 for CVE 2009-0034
Changes:
- Only use the cached supplementory group vector when matching groups
for the invoking user. (security)
- When setting the umask, use the union of the user's umask and the
default value set in sudoers so that we never lower the user's umask
when running a command.
- Sudo now operates in the C locale again when doing a match against
sudoers.
PR: 131446
Submitted by: Eygene Ryabinkin
Security: vid:13d6d997-f455-11dd-8516-001b77d09812
-rw-r--r-- | security/sudo/Makefile | 4 | ||||
-rw-r--r-- | security/sudo/distinfo | 6 | ||||
-rw-r--r-- | security/vuxml/vuln.xml | 32 |
3 files changed, 37 insertions, 5 deletions
diff --git a/security/sudo/Makefile b/security/sudo/Makefile index 735785cc34a7..77c2a28c26e8 100644 --- a/security/sudo/Makefile +++ b/security/sudo/Makefile @@ -6,7 +6,7 @@ # PORTNAME= sudo -PORTVERSION= 1.6.9.17 +PORTVERSION= 1.6.9.20 CATEGORIES= security MASTER_SITES= http://www.sudo.ws/sudo/dist/ \ ftp://obsd.isc.org/pub/sudo/ \ @@ -16,7 +16,7 @@ MASTER_SITES= http://www.sudo.ws/sudo/dist/ \ ftp://ftp.wiretapped.net/pub/security/host-security/sudo/ \ ${MASTER_SITE_LOCAL} MASTER_SITE_SUBDIR= tmclaugh/sudo -DISTNAME= ${PORTNAME}-1.6.9p17 +DISTNAME= ${PORTNAME}-1.6.9p20 MAINTAINER= tmclaugh@FreeBSD.org COMMENT= Allow others to run commands as root diff --git a/security/sudo/distinfo b/security/sudo/distinfo index dfc778cc96f3..9103e9de47bb 100644 --- a/security/sudo/distinfo +++ b/security/sudo/distinfo @@ -1,3 +1,3 @@ -MD5 (sudo-1.6.9p17.tar.gz) = 60daf18f28e2c1eb7641c4408e244110 -SHA256 (sudo-1.6.9p17.tar.gz) = 1e2cd4ff684c6f542b7e392010021f36b201d074620dad4d7689da60f9c74596 -SIZE (sudo-1.6.9p17.tar.gz) = 593534 +MD5 (sudo-1.6.9p20.tar.gz) = cd1caee0227641968d63d06845dea70a +SHA256 (sudo-1.6.9p20.tar.gz) = 1197bd5f2087c13a3837e1c4da250f7db2a86f843bf00f2b3568f6410239ac7b +SIZE (sudo-1.6.9p20.tar.gz) = 596009 diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 4c9dc5382da9..45fde1086685 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -34,6 +34,38 @@ Note: Please add new entries to the beginning of this file. --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="13d6d997-f455-11dd-8516-001b77d09812"> + <topic>sudo -- certain authorized users could run commands as any user</topic> + <affects> + <package> + <name>sudo</name> + <range><ge>1.6.9</ge><lt>1.6.9.20</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Todd Miller reports:</p> + <blockquote + cite="http://www.gratisoft.us/pipermail/sudo-announce/2009-February/000085.html"> + <p>A bug was introduced in Sudo's group matching code in + version 1.6.9 when support for matching based on the + supplemental group vector was added. This bug may allow + certain users listed in the sudoers file to run a command as a + different user than their access rule specifies.</p> + </blockquote> + </body> + </description> + <references> + <mlist msgid="200902041802.n14I2llS024155@core.courtesan.com">http://www.gratisoft.us/pipermail/sudo-announce/2009-February/000085.html</mlist> + <cvename>CVE-2009-0034</cvename> + <bid>33517</bid> + </references> + <dates> + <discovery>2009-02-04</discovery> + <entry>2009-02-06</entry> + </dates> + </vuln> + <vuln vid="6d85dc62-f2bd-11dd-9f55-0030843d3802"> <topic>drupal -- multiple vulnerabilities</topic> <affects> |