[sudo-announce] Sudo version 1.6.8p12 now available, fixes security issue.

Todd C. Miller Todd.Miller at courtesan.com
Thu Nov 10 14:24:44 EST 2005

Sudo version 1.6.8, patchlevel 12 is now available, which fixes a
security issue with perl scripts run via sudo.

    A flaw in exists in sudo's environment sanitizing prior to sudo
    version 1.6.8p12 that could allow a malicious user with permission
    to run a perl script to execute arbitrary perl code.

Sudo versions affected:
    All versions prior to 1.6.8p12.

    The PERL5LIB and PERLLIB environment variables can be used to
    provide a list of directories in which to look for perl library
    files before the system directories are searched.  It is similar
    in concept to the LD_LIBRARY_PATH environment variables, only
    for perl.  These variables are ignored if "tainting" is enabled
    (via the -T switch).  The PERL5OPT environment variable specifies
    additional command line options to be passed to the script which
    may modify its behavior.

    Malicious users with sudo access to run a perl script can use
    these variables to include and execute their own library file
    with the same name as a system library file that is included
    (via the "use" or "require" directives) by the perl script run
    via sudo.

    Exploitation of the bug requires that perl be installed on the
    machine and that users be granted sudo access to run perl scripts
    that do not have tainting turned on.

    The bug is fixed in sudo 1.6.8p12 and higher.

    The administrator can add a line at the top of the sudoers file:

    Defaults        env_delete+="PERLLIB PERL5LIB PERL5OPT"

    which will cause sudo to strip the PERLLIB, PERL5LIB and PERL5OPT
    environment variables without requiring a recompile.

    Alternately, the administrator can add a line to the top of
    sudoers file:

    Defaults        env_reset

    which will reset the environment to only contain the variables
    HOME, LOGNAME, PATH, SHELL, TERM, and USER, also preventing
    this attack.

    This problem was brought to my attention by Charles Morris.

The next major Sudo release will be version 1.7.  For information
on what to expect in sudo 1.7, see http://www.sudo.ws/sudo/future.html
You can help speed the release of Sudo 1.7 by purchasing a support
contract or making a donation (see below).

Commercial support is available for Sudo.  If your organization
uses Sudo, please consider purchasing a support contract to help
fund future Sudo development at http://www.sudo.ws/support.html
Custom enhancements to Sudo may also be contracted.

You can also help out by making a donation or "purchase" a copy
of Sudo at http://www.sudo.ws/purchase.html

Master Web Site:

Web Site Mirrors:
    http://www.mirrormonster.com/sudo/ (Fremont, California, USA)
    http://sudo.stikman.com/ (Los Angeles, California, USA)
    http://sudo.tolix.org/ (California, USA)
    http://mirage.informationwave.net/sudo/ (Fanwood, New Jersey, USA)
    http://www.mrv2k.net/sudo/ (Bend, Oregon, USA)
    http://sudo.rtin.bz/ (Philadelphia, Pennsylvania, USA)
    http://www.signal42.com/mirrors/sudo_www/ (USA)
    http://sudo.xmundo.net/ (Argentina)
    http://sudo.planetmirror.com/ (Australia)
    http://www.bangladesh-linux-info.org/sudo/sudo.html (Bangladesh)
    http://mirror.mons-new-media.de/sudo/ (Germany)
    http://sudo.miscellaneousmirror.org/ (Cologne, Germany)
    http://sunshine.lv/sudo/ (Latvia)
    http://rexem.uni.cc/sudo/ (Kaunas, Lithuania)
    http://sudo.cdu.elektra.ru/ (Russia)
    http://sudo.nctu.edu.tw/ (Taiwan)

FTP Mirrors:
    ftp://ftp.sudo.ws/pub/sudo/ (Dallas, Texas, USA)
    ftp://plier.ucar.edu/pub/sudo/ (Boulder, Colorado, USA)
    ftp://ftp.cs.colorado.edu/pub/sudo/ (Boulder, Colorado, USA)
    ftp://obsd.isc.org/pub/sudo/ (Redwood City, California, USA)
    ftp://ftp.stikman.com/pub/sudo/ (Los Angeles, California, USA)
    ftp://ftp.tux.org/pub/security/sudo/ (Beltsville, Maryland, USA)
    ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA)
    ftp://ftp.uwsg.indiana.edu/pub/security/sudo/ (Bloomington, Indiana, USA)
    ftp://mirror.sg.depaul.edu/pub/security/sudo/ (Chicago, Illinois, USA)
    ftp://sudo.xmundo.net/pub/mirrors/sudo/ (Argentina)
    ftp://ftp.wiretapped.net/pub/security/host-security/sudo/ (Australia)
    ftp://ftp.tuwien.ac.at/utils/admin-tools/sudo/ (Austria)
    ftp://sunsite.ualberta.ca/pub/Mirror/sudo/ (Alberta, Canada)
    ftp://ftp.csc.cuhk.edu.hk/pub/packages/unix-tools/sudo/ (Hong Kong, China)
    ftp://ftp.eunet.cz/security/sudo/ (Czech Republic)
    ftp://ftp.ujf-grenoble.fr/sudo/ (France)
    ftp://netmirror.org/ftp.sudo.ws/ (Frankfurt, Germany)
    ftp://ftp.win.ne.jp/pub/misc/sudo/ (Japan)
    ftp://ftp.st.ryukoku.ac.jp/pub/security/tool/sudo/ (Japan)
    ftp://ftp.cin.nihon-u.ac.jp/pub/misc/sudo/ (Japan)
    ftp://core.ring.gr.jp/pub/misc/sudo/ (Japan)
    ftp://ftp.ring.gr.jp/pub/misc/sudo/ (Japan)
    ftp://ftp.tpnet.pl/d6/ftp.sudo.ws/ (Poland)
    ftp://ftp.cdu.elektra.ru/pub/unix/security/sudo/ (Russia)
    ftp://ftp.nsysu.edu.tw/Unix/Security/Sudo/ (Taiwan)

HTTP Mirrors:
    http://www.sudo.ws/sudo/dist/ (Dallas, Texas, USA)
    http://www.mirrormonster.com/sudo/dist/ (Fremont, California, USA)
    http://sudo.tolix.org/ftp/ (California, USA)
    http://sudo.mirror99.com/ (San Jose, California, USA)
    http://www.signal42.com/mirrors/sudo_ftp/ (California, USA)
    http://probsd.org/sudoftp/ (East Coast, USA)
    http://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA)
    http://www.signal42.com/mirrors/sudo_ftp/ (California, USA)
    http://www.ip97.com/sudo/ (Dallas, Texas, USA)
    http://netmirror.org/mirror/ftp.sudo.ws/ (Frankfurt, Germany)
    http://mirror.mons-new-media.de/sudo_ftp/ (Frankfurt, Germany)
    http://core.ring.gr.jp/archives/misc/sudo/ (Japan)
    http://www.ring.gr.jp/archives/misc/sudo/ (Japan)
    http://ftp.tpnet.pl/vol/d6/ftp.sudo.ws/ (Poland)
    http://sudo.tsuren.net/dist/ (Moscow, Russian Federation)
    http://ftp.nsysu.edu.tw/Unix/Security/Sudo/ (Taiwan)

More information about the sudo-announce mailing list