[Bug 1915307] Re: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)

Mon Feb 15 00:19:11 UTC 2021

Thanks, this looks good to me but out of an abundance of caution (this
is sudo, after all), I'm going to get Marc from the security team to
take a look -- it seems the upstream fixes for the CVE are a bit
different from the ones currently in Ubuntu and I'd like him to verify
that we think upstream got this right :-)

** Changed in: sudo (Ubuntu)
     Assignee: William Wilson (jawn-smith) => Marc Deslauriers (mdeslaur)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1915307

Title:
  Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)

Status in sudo package in Ubuntu:
  In Progress

Bug description:
  This requires a merge because there are changes in the Ubuntu version
  not present in the Debian version.

  ------ Justification of patches removed from debian/patches/series ------
  * typo-in-classic-insults.diff
    * This exact patch is present in upstream version 1.9.5p2-2
  * paths-in-samples.diff
    * This exact patch is present in upstream version 1.9.5p2-2
  * Whitelist-DPKG_COLORS-environment-variable.diff
    * This exact patch is present in upstream version 1.9.5p2-2
  * CVE-2021-23239.patch
    * This exact patch is NOT present in upstream version 1.9.5p2-2
      * The patch is made to address a vulnerability wherein users
        were able to gain information about what directories existed
        that they should not have had access to.
      * Upstream version 1.9.5p2-2 addresses this vulnerability using
        the function sudo_edit_parent_valid in the file src/sudo_edit.c
      * Since the vulnerability is addressed in upstream version
        1.9.5p2-2 it can safely be dropped
  * CVE-2021-3156-1.patch
    * The code from this patch already exitsts in upstream
      version 1.9.5p2-2
  * CVE-2021-3156-2.patch
    * The code from this patch already exitsts in upstream
      version 1.9.5p2-2
  * CVE-2021-3156-3.patch
    * The code from this patch already exitsts in upstream
      version 1.9.5p2-2
  * CVE-2021-3156-4.patch
    * The code from this patch already exitsts in upstream
      version 1.9.5p2-2
  * CVE-2021-3156-5.patch
    * The code from this patch already exitsts in upstream
      version 1.9.5p2-2
  * ineffective_no_root_mailer.patch
    * This exact patch is present in upstream version 1.9.5p2-2
      under the name fix-no-root-mailer.diff

  Changes:
    * Merge from Debian unstable. (LP: #1915307)
      Remaining changes:
      - debian/rules:
        + use dh-autoreconf
      - debian/rules: stop shipping init scripts, as they are no longer
        necessary.
      - debian/rules:
        + compile with --without-lecture --with-tty-tickets --enable-admin-flag
        + install man/man8/sudo_root.8 in both flavours
        + install apport hooks
      - debian/sudo-ldap.dirs, debian/sudo.dirs:
        + add usr/share/apport/package-hooks
      - debian/sudo.pam:
        + Use pam_env to read /etc/environment and /etc/default/locale
          environment files. Reading ~/.pam_environment is not permitted due
          to security reasons.
      - debian/sudoers:
        + also grant admin group sudo access
        + include /snap/bin in the secure_path

  sudo (1.9.5p2-2) unstable; urgency=medium

    * patch from upstream repo to fix NO_ROOT_MAILER

  sudo (1.9.5p2-1) unstable; urgency=high

    * new upstream version, addresses CVE-2021-3156

  sudo (1.9.5p1-1.1) unstable; urgency=high

    * Non-maintainer upload.
    * Heap-based buffer overflow (CVE-2021-3156)
      - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit
      - Add sudoedit flag checks in plugin that are consistent with front-end
      - Fix potential buffer overflow when unescaping backslashes in user_args
      - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL
      - Don't assume that argv is allocated as a single flat buffer

  sudo (1.9.5p1-1) unstable; urgency=medium

    * new upstream version, closes: #980028

  sudo (1.9.5-1) unstable; urgency=medium

    * new upstream version

  sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium

    * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option
      - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER
        in plugins/sudoers/logging.c, plugins/sudoers/policy.c.
      - No CVE number

  sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium

    * SECURITY UPDATE: dir existence issue via sudoedit race
      - debian/patches/CVE-2021-23239.patch: fix potential directory existing
        info leak in sudoedit in src/sudo_edit.c.
      - CVE-2021-23239
    * SECURITY UPDATE: heap-based buffer overflow
      - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to
        MODE_NONINTERACTIVE for sudoedit in src/parse_args.c.
      - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in
        plugin in plugins/sudoers/policy.c.
      - debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow
        when unescaping backslashes in plugins/sudoers/sudoers.c.
      - debian/patches/CVE-2021-3156-4.patch: fix the memset offset when
        converting a v1 timestamp to TS_LOCKEXCL in
        plugins/sudoers/timestamp.c.
      - debian/patches/CVE-2021-3156-5.patch: don't assume that argv is
        allocated as a single flat buffer in src/parse_args.c.
      - CVE-2021-3156

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1915307/+subscriptions