[sudo-announce] Sudo version 1.6.8p12 now available, fixes security issue.
Todd C. Miller
Todd.Miller at courtesan.com
Thu Nov 10 14:24:44 EST 2005
Sudo version 1.6.8, patchlevel 12 is now available, which fixes a
security issue with perl scripts run via sudo.
Summary:
A flaw in exists in sudo's environment sanitizing prior to sudo
version 1.6.8p12 that could allow a malicious user with permission
to run a perl script to execute arbitrary perl code.
Sudo versions affected:
All versions prior to 1.6.8p12.
Details:
The PERL5LIB and PERLLIB environment variables can be used to
provide a list of directories in which to look for perl library
files before the system directories are searched. It is similar
in concept to the LD_LIBRARY_PATH environment variables, only
for perl. These variables are ignored if "tainting" is enabled
(via the -T switch). The PERL5OPT environment variable specifies
additional command line options to be passed to the script which
may modify its behavior.
Malicious users with sudo access to run a perl script can use
these variables to include and execute their own library file
with the same name as a system library file that is included
(via the "use" or "require" directives) by the perl script run
via sudo.
Impact:
Exploitation of the bug requires that perl be installed on the
machine and that users be granted sudo access to run perl scripts
that do not have tainting turned on.
Fix:
The bug is fixed in sudo 1.6.8p12 and higher.
Workaround:
The administrator can add a line at the top of the sudoers file:
Defaults env_delete+="PERLLIB PERL5LIB PERL5OPT"
which will cause sudo to strip the PERLLIB, PERL5LIB and PERL5OPT
environment variables without requiring a recompile.
Alternately, the administrator can add a line to the top of
sudoers file:
Defaults env_reset
which will reset the environment to only contain the variables
HOME, LOGNAME, PATH, SHELL, TERM, and USER, also preventing
this attack.
Credit:
This problem was brought to my attention by Charles Morris.
The next major Sudo release will be version 1.7. For information
on what to expect in sudo 1.7, see http://www.sudo.ws/sudo/future.html
You can help speed the release of Sudo 1.7 by purchasing a support
contract or making a donation (see below).
Commercial support is available for Sudo. If your organization
uses Sudo, please consider purchasing a support contract to help
fund future Sudo development at http://www.sudo.ws/support.html
Custom enhancements to Sudo may also be contracted.
You can also help out by making a donation or "purchase" a copy
of Sudo at http://www.sudo.ws/purchase.html
Master Web Site:
http://www.sudo.ws/sudo/
Web Site Mirrors:
http://www.mirrormonster.com/sudo/ (Fremont, California, USA)
http://sudo.stikman.com/ (Los Angeles, California, USA)
http://sudo.tolix.org/ (California, USA)
http://mirage.informationwave.net/sudo/ (Fanwood, New Jersey, USA)
http://www.mrv2k.net/sudo/ (Bend, Oregon, USA)
http://sudo.rtin.bz/ (Philadelphia, Pennsylvania, USA)
http://www.signal42.com/mirrors/sudo_www/ (USA)
http://sudo.xmundo.net/ (Argentina)
http://sudo.planetmirror.com/ (Australia)
http://www.bangladesh-linux-info.org/sudo/sudo.html (Bangladesh)
http://mirror.mons-new-media.de/sudo/ (Germany)
http://sudo.miscellaneousmirror.org/ (Cologne, Germany)
http://sunshine.lv/sudo/ (Latvia)
http://rexem.uni.cc/sudo/ (Kaunas, Lithuania)
http://sudo.cdu.elektra.ru/ (Russia)
http://sudo.nctu.edu.tw/ (Taiwan)
FTP Mirrors:
ftp://ftp.sudo.ws/pub/sudo/ (Dallas, Texas, USA)
ftp://plier.ucar.edu/pub/sudo/ (Boulder, Colorado, USA)
ftp://ftp.cs.colorado.edu/pub/sudo/ (Boulder, Colorado, USA)
ftp://obsd.isc.org/pub/sudo/ (Redwood City, California, USA)
ftp://ftp.stikman.com/pub/sudo/ (Los Angeles, California, USA)
ftp://ftp.tux.org/pub/security/sudo/ (Beltsville, Maryland, USA)
ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA)
ftp://ftp.uwsg.indiana.edu/pub/security/sudo/ (Bloomington, Indiana, USA)
ftp://mirror.sg.depaul.edu/pub/security/sudo/ (Chicago, Illinois, USA)
ftp://sudo.xmundo.net/pub/mirrors/sudo/ (Argentina)
ftp://ftp.wiretapped.net/pub/security/host-security/sudo/ (Australia)
ftp://ftp.tuwien.ac.at/utils/admin-tools/sudo/ (Austria)
ftp://sunsite.ualberta.ca/pub/Mirror/sudo/ (Alberta, Canada)
ftp://ftp.csc.cuhk.edu.hk/pub/packages/unix-tools/sudo/ (Hong Kong, China)
ftp://ftp.eunet.cz/security/sudo/ (Czech Republic)
ftp://ftp.ujf-grenoble.fr/sudo/ (France)
ftp://netmirror.org/ftp.sudo.ws/ (Frankfurt, Germany)
ftp://ftp.win.ne.jp/pub/misc/sudo/ (Japan)
ftp://ftp.st.ryukoku.ac.jp/pub/security/tool/sudo/ (Japan)
ftp://ftp.cin.nihon-u.ac.jp/pub/misc/sudo/ (Japan)
ftp://core.ring.gr.jp/pub/misc/sudo/ (Japan)
ftp://ftp.ring.gr.jp/pub/misc/sudo/ (Japan)
ftp://ftp.tpnet.pl/d6/ftp.sudo.ws/ (Poland)
ftp://ftp.cdu.elektra.ru/pub/unix/security/sudo/ (Russia)
ftp://ftp.nsysu.edu.tw/Unix/Security/Sudo/ (Taiwan)
HTTP Mirrors:
http://www.sudo.ws/sudo/dist/ (Dallas, Texas, USA)
http://www.mirrormonster.com/sudo/dist/ (Fremont, California, USA)
http://sudo.tolix.org/ftp/ (California, USA)
http://sudo.mirror99.com/ (San Jose, California, USA)
http://www.signal42.com/mirrors/sudo_ftp/ (California, USA)
http://probsd.org/sudoftp/ (East Coast, USA)
http://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA)
http://www.signal42.com/mirrors/sudo_ftp/ (California, USA)
http://www.ip97.com/sudo/ (Dallas, Texas, USA)
http://netmirror.org/mirror/ftp.sudo.ws/ (Frankfurt, Germany)
http://mirror.mons-new-media.de/sudo_ftp/ (Frankfurt, Germany)
http://core.ring.gr.jp/archives/misc/sudo/ (Japan)
http://www.ring.gr.jp/archives/misc/sudo/ (Japan)
http://ftp.tpnet.pl/vol/d6/ftp.sudo.ws/ (Poland)
http://sudo.tsuren.net/dist/ (Moscow, Russian Federation)
http://ftp.nsysu.edu.tw/Unix/Security/Sudo/ (Taiwan)
More information about the sudo-announce
mailing list