[sudo-announce] Sudo version 1.6.8p11 now available, fixes security issue.

Todd C. Miller Todd.Miller at courtesan.com
Tue Nov 1 11:59:48 EST 2005

Sudo version 1.6.8, patchlevel 11 is now available, which fixes a
security issue with bash scripts run via sudo.

    A flaw in exists in sudo's environment sanitizing prior to sudo
    version 1.6.8p10 that could allow a malicious user with permission
    to run a shell script that utilized the bash shell to run
    arbitrary commands.  The /bin/sh shell on most (if not all)
    Linux and Mac OS X systems is bash.

Sudo versions affected:
    Sudo versions 1.3.1 up to and including 1.6.8p9.

    The bash shell uses the value of the PS4 environment variable
    (after expansion) as a prefix for commands run in execution
    trace mode.  Execution trace mode (xtrace) is normally set via
    bash's -x command line option or interactively by running "set
    -o xtrace".  However, it may also be enabled by placing the
    string "xtrace" in the SHELLOPTS environment variable before
    bash is started.

    A malicious user with sudo access to a shell script that uses
    bash can use this feature to run arbitrary commands for each
    line of the script.

    Exploitation of the bug requires that the bash shell be installed
    on the machine and that users be granted sudo access to run
    scripts written in bash.  On most (if not all) Linux and Mac
    OS X systems, /bin/sh is bash so /bin/sh scripts are affected
    by this as well.

    The bug is fixed in sudo 1.6.8p10 and higher.

    The administrator can add a line at the top of the sudoers file:

    Defaults        env_delete+="PS4 SHELLOPTS"

    which will cause sudo to strip the PS4 and SHELLOPTS environment
    variables without requiring a recompile.

    Alternately, the administrator can add a line to the top of
    sudoers file:

    Defaults        env_reset

    which will reset the environment to only contain the variables
    HOME, LOGNAME, PATH, SHELL, TERM, and USER, also preventing
    this attack.

    This problem was found by Tavis Ormandy.

Other changes in patchlevel 11:
    A change was also made in patchlevel 11 to exclude the
    JAVA_TOOL_OPTIONS variable from the environment before executing
    a command.  This prevents a user from passing arbitrary arguments
    to java 5.

The next major Sudo release will be version 1.7.  For information
on what to expect in sudo 1.7, see http://www.sudo.ws/sudo/future.html

Master Web Site:

Web Site Mirrors:
    http://www.mirrormonster.com/sudo/ (Fremont, California, USA)
    http://sudo.stikman.com/ (Los Angeles, California, USA)
    http://sudo.tolix.org/ (California, USA)
    http://mirage.informationwave.net/sudo/ (Fanwood, New Jersey, USA)
    http://www.mrv2k.net/sudo/ (Bend, Oregon, USA)
    http://sudo.rtin.bz/ (Philadelphia, Pennsylvania, USA)
    http://www.signal42.com/mirrors/sudo_www/ (USA)
    http://sudo.xmundo.net/ (Argentina)
    http://sudo.planetmirror.com/ (Australia)
    http://www.bangladesh-linux-info.org/sudo/sudo.html (Bangladesh)
    http://mirror.mons-new-media.de/sudo/ (Germany)
    http://sudo.miscellaneousmirror.org/ (Cologne, Germany)
    http://sunshine.lv/sudo/ (Latvia)
    http://rexem.uni.cc/sudo/ (Kaunas, Lithuania)
    http://sudo.cdu.elektra.ru/ (Russia)
    http://sudo.nctu.edu.tw/ (Taiwan)

FTP Mirrors:
    ftp://ftp.sudo.ws/pub/sudo/ (Frisco, Texas, USA)
    ftp://plier.ucar.edu/pub/sudo/ (Boulder, Colorado, USA)
    ftp://ftp.cs.colorado.edu/pub/sudo/ (Boulder, Colorado, USA)
    ftp://obsd.isc.org/pub/sudo/ (Redwood City, California, USA)
    ftp://ftp.stikman.com/pub/sudo/ (Los Angeles, California, USA)
    ftp://ftp.tux.org/pub/security/sudo/ (Beltsville, Maryland, USA)
    ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA)
    ftp://ftp.uwsg.indiana.edu/pub/security/sudo/ (Bloomington, Indiana, USA)
    ftp://mirror.sg.depaul.edu/pub/security/sudo/ (Chicago, Illinois, USA)
    ftp://sudo.xmundo.net/pub/mirrors/sudo/ (Argentina)
    ftp://ftp.wiretapped.net/pub/security/host-security/sudo/ (Australia)
    ftp://ftp.tuwien.ac.at/utils/admin-tools/sudo/ (Austria)
    ftp://sunsite.ualberta.ca/pub/Mirror/sudo/ (Alberta, Canada)
    ftp://ftp.csc.cuhk.edu.hk/pub/packages/unix-tools/sudo/ (Hong Kong, China)
    ftp://ftp.eunet.cz/security/sudo/ (Czech Republic)
    ftp://ftp.ujf-grenoble.fr/sudo/ (France)
    ftp://netmirror.org/ftp.sudo.ws/ (Frankfurt, Germany)
    ftp://ftp.win.ne.jp/pub/misc/sudo/ (Japan)
    ftp://ftp.st.ryukoku.ac.jp/pub/security/tool/sudo/ (Japan)
    ftp://ftp.cin.nihon-u.ac.jp/pub/misc/sudo/ (Japan)
    ftp://core.ring.gr.jp/pub/misc/sudo/ (Japan)
    ftp://ftp.ring.gr.jp/pub/misc/sudo/ (Japan)
    ftp://ftp.tpnet.pl/d6/ftp.sudo.ws/ (Poland)
    ftp://ftp.cdu.elektra.ru/pub/unix/security/sudo/ (Russia)
    ftp://ftp.nsysu.edu.tw/Unix/Security/Sudo/ (Taiwan)

HTTP Mirrors:
    http://www.sudo.ws/sudo/dist/ (Frisco, Texas, USA)
    http://www.mirrormonster.com/sudo/dist/ (Fremont, California, USA)
    http://sudo.tolix.org/ftp/ (California, USA)
    http://sudo.mirror99.com/ (San Jose, California, USA)
    http://www.signal42.com/mirrors/sudo_ftp/ (California, USA)
    http://probsd.org/sudoftp/ (East Coast, USA)
    http://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA)
    http://www.signal42.com/mirrors/sudo_ftp/ (California, USA)
    http://www.ip97.com/sudo/ (Dallas, Texas, USA)
    http://netmirror.org/mirror/ftp.sudo.ws/ (Frankfurt, Germany)
    http://mirror.mons-new-media.de/sudo_ftp/ (Frankfurt, Germany)
    http://core.ring.gr.jp/archives/misc/sudo/ (Japan)
    http://www.ring.gr.jp/archives/misc/sudo/ (Japan)
    http://ftp.tpnet.pl/vol/d6/ftp.sudo.ws/ (Poland)
    http://sudo.tsuren.net/dist/ (Moscow, Russian Federation)
    http://ftp.nsysu.edu.tw/Unix/Security/Sudo/ (Taiwan)

More information about the sudo-announce mailing list