From rea@codelabs.ru  Wed Jan 12 21:15:44 2011
Return-Path: <rea@codelabs.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 0CA63106564A
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 12 Jan 2011 21:15:44 +0000 (UTC)
	(envelope-from rea@codelabs.ru)
Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45])
	by mx1.freebsd.org (Postfix) with ESMTP id 8F7568FC08
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 12 Jan 2011 21:15:43 +0000 (UTC)
Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25])
	by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256)
	id 1Pd82g-000GZA-Id for FreeBSD-gnats-submit@freebsd.org; Thu, 13 Jan 2011 00:15:42 +0300
Message-Id: <20110112211542.48337DA81F@void.codelabs.ru>
Date: Thu, 13 Jan 2011 00:15:42 +0300 (MSK)
From: Eygene Ryabinkin <rea@freebsd.org>
Reply-To: Eygene Ryabinkin <rea@freebsd.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [patch] security/sudo: fix CVE-2011-0010
X-Send-Pr-Version: 3.113
X-GNATS-Notify: remko@freebsd.org

>Number:         153939
>Category:       ports
>Synopsis:       [patch] security/sudo: fix CVE-2011-0010
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    wxs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jan 12 21:20:08 UTC 2011
>Closed-Date:    Thu Jan 13 20:01:02 UTC 2011
>Last-Modified:  Thu Jan 13 20:10:12 UTC 2011
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 9.0-CURRENT amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD 9.0-CURRENT amd64

>Description:

CVE-2011-0010 was just issued, but the real description of the
problem is available at the Debian's bug tracker [1].

To be short, if sudoers have explicit group list in the Runas
specification, 'sudo -g <GROUP> <CMD>' for the allowed <GROUP>
and <CMD> will not ask for the password.

>How-To-Repeat:

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609641
[2] http://www.sudo.ws/repos/sudo/rev/fe8a94f96542

Here's the transcript of my test session with old and updated
port:
{{{
[prior to patching]
$ sudo -k && sudo -g kmem id
uid=1001(rea) gid=1001(rea) egid=2(kmem) groups=2(kmem),<bunch of>
[after patching]
$ sudo -k && sudo -g kmem id
Password:
uid=1001(rea) gid=1001(rea) egid=2(kmem) groups=2(kmem),<bunch of>
[vanilla id output]
$ id
uid=1001(rea) gid=1001(rea) groups=1001(rea),<bunch of>
}}}

In sudoers I have '(ALL:ALL)' as the Runas specification.

>Fix:

The following patch fixes the problem:
--- fix-CVE-2011-0010.diff begins here ---
From 860a164877887ac1f36a136870f6795ce8f1dc0d Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Wed, 12 Jan 2011 23:24:11 +0300

Prior to this patch sudo allowed users to change groups
without asking for password.

Look-at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609641
Look-at: http://www.sudo.ws/repos/sudo/raw-rev/fe8a94f96542
Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 security/sudo/Makefile                  |    2 +-
 security/sudo/files/patch-cve-2011-0010 |   28 ++++++++++++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletions(-)
 create mode 100644 security/sudo/files/patch-cve-2011-0010

diff --git a/security/sudo/Makefile b/security/sudo/Makefile
index 198a8a6..79757af 100644
--- a/security/sudo/Makefile
+++ b/security/sudo/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	sudo
 PORTVERSION=	1.7.4.4
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	security
 MASTER_SITES=	http://www.sudo.ws/sudo/dist/ \
 		http://www.signal42.com/mirrors/sudo_ftp/ \
diff --git a/security/sudo/files/patch-cve-2011-0010 b/security/sudo/files/patch-cve-2011-0010
new file mode 100644
index 0000000..06696e2
--- /dev/null
+++ b/security/sudo/files/patch-cve-2011-0010
@@ -0,0 +1,28 @@
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@courtesan.com>
+# Date 1294760019 18000
+# Node ID fe8a94f96542335c02d09fba81077c1dcc6381b5
+# Parent  8f9303326db73a2e00cd53c2515db8188386cfc0
+If the user is running sudo as himself but as a different group we
+need to prompt for a password.
+
+diff -r 8f9303326db7 -r fe8a94f96542 check.c
+--- check.c	Mon Jan 10 10:28:59 2011 -0500
++++ check.c	Tue Jan 11 10:33:39 2011 -0500
+@@ -120,7 +120,13 @@
+     if (ISSET(mode, MODE_INVALIDATE)) {
+ 	SET(validated, FLAG_CHECK_USER);
+     } else {
+-	if (user_uid == 0 || user_uid == runas_pw->pw_uid || user_is_exempt())
++	/*
++	 * Don't prompt for the root passwd or if the user is exempt.
++	 * If the user is not changing uid/gid, no need for a password.
++	 */
++	if (user_uid == 0 || (user_uid == runas_pw->pw_uid &&
++	    (!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name))) ||
++	    user_is_exempt())
+ 	    return;
+     }
+ 
+
-- 
1.7.3.4
--- fix-CVE-2011-0010.diff ends here ---
It works on my test machines and Tinderbox builds are also fine:
 - http://gpf.codelabs.ru/tb-logs/mine-7/sudo-1.7.4.4_2.log
 - http://gpf.codelabs.ru/tb-logs/mine-8/sudo-1.7.4.4_2.log
 - http://gpf.codelabs.ru/tb-logs/mine-9/sudo-1.7.4.4_2.log


The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
  <vuln vid="908f4cf2-1e8b-11e0-a587-001b77d09812">
    <topic>sudo -- local privilege escalation</topic>
    <affects>
      <package>
	<name>sudo</name>
	<range><lt>1.7.4.4_2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>When sudoers database has entries with the list of groups
	  in the Runas_Spec block, users for which these entries
	  permit to run commands may execute them with credentials of
	  these groups, but without any password propts using command
	  &quot;sudo -g &lt;GROUP&gt; &lt;CMD&gt;&quot;.</p>
      </body>
    </description>
    <references>
      <cvename>CVE-2011-0010</cvename>
      <url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609641</url>
      <url>http://www.sudo.ws/repos/sudo/rev/fe8a94f96542</url>
    </references>
    <dates>
      <discovery>2011-01-11</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---
I had sent it for the review to Remko Lodder, but your (and anyone's)
comments are welcome.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->wxs 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Wed Jan 12 21:20:47 UTC 2011 
Responsible-Changed-Why:  
Over to maintainer (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=153939 

From: Eygene Ryabinkin <rea@freebsd.org>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: ports/153939: [patch] security/sudo: fix CVE-2011-0010
Date: Thu, 13 Jan 2011 01:11:10 +0300

 --g3gKGiRpvPEwrzWv
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Todd Miller just issued advisory, so I redid the VuXML entry.
 Now it is available at
   http://codelabs.ru/fbsd/vuxml/sudo-cve-2011-0010.xml
 
 Also Todd said that 1.7.4p5 is available,
   http://www.openwall.com/lists/oss-security/2011/01/12/3
 --=20
 Eygene Ryabinkin                                        ,,,^..^,,,
 [ Life's unfair - but root password helps!           | codelabs.ru ]
 [ 82FE 06BC D497 C0DE 49EC  4FF0 16AF 9EAE 8152 ECFB | freebsd.org ]
 
 --g3gKGiRpvPEwrzWv
 Content-Type: application/pgp-signature
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.16 (FreeBSD)
 
 iF4EAREIAAYFAk0uJv4ACgkQFq+eroFS7PukKQD+LyE19XltuHfottjdtLWFQRO7
 zSlja/C5dfqveHOMo0EA/0ttAnXU/djR/LnZtOwqaAwLflBKvEKCgZ8aJV5AO5aP
 =AtNS
 -----END PGP SIGNATURE-----
 
 --g3gKGiRpvPEwrzWv--

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/153939: commit references a PR
Date: Thu, 13 Jan 2011 14:09:29 +0000 (UTC)

 rea         2011-01-13 14:09:25 UTC
 
   FreeBSD ports repository
 
   Modified files:
     security/vuxml       vuln.xml 
   Log:
   security/sudo: document privilege escalation, CVE-2011-0010
   
   PR: 153939
   Approved by: delphij (secteam), erwin (mentor)
   Feature safe: yes
   
   Revision  Changes    Path
   1.2277    +34 -1     ports/security/vuxml/vuln.xml
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: wxs 
State-Changed-When: Thu Jan 13 20:00:59 UTC 2011 
State-Changed-Why:  
Committed. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=153939 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/153939: commit references a PR
Date: Thu, 13 Jan 2011 20:00:28 +0000 (UTC)

 wxs         2011-01-13 20:00:11 UTC
 
   FreeBSD ports repository
 
   Modified files:
     security/sudo        Makefile distinfo 
   Log:
   Update to 1.7.4p5.
   
   Special thanks to rea@ for commiting the appropriate VuXML for me. :)
   
   PR:             ports/153939
   Submitted by:   rea@
   Security:       908f4cf2-1e8b-11e0-a587-001b77d09812
   Feature safe:   yes
   
   Revision  Changes    Path
   1.121     +2 -3      ports/security/sudo/Makefile
   1.70      +2 -3      ports/security/sudo/distinfo
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
