----------------------------------------------------------------------- Immunix OS Security Advisory Packages updated: sudo Affected products: ImmunixOS 7.0 Bugs fixed: immunix/1944 Date: Thu Jan 17 2002 Advisory ID: IMNX-2002-70-001-01 Author: Seth Arnold <sarnoldat_private> ----------------------------------------------------------------------- Description: Sebastian Krahmer from the SuSE Security Team has discovered a bug in sudo versions less than 1.6.4 did not clean the user-supplied environment before sending mail to the administrator reporting errors. Because the environment is not cleaned, an MTA could be passed an unexpected environment while running as root -- with at least postfix, and probably other MTAs, this can be trivially turned into a root exploit. This update to sudo 1.6.5p1 fixes this problem by preventing any user-set environment variables from affecting the mail program started in response to mail events, such as a user executing sudo without proper privileges in sudoers(5). Users with postfix should upgrade immediately if there are any untrusted user accounts on the machine. Users with other MTAs should upgrade as soon as convenient. In the meantime, here are some sudoers(5) rules that can help mitigate the problem: Defaults !mail_always Defaults !mail_no_user Defaults !mail_no_host Defaults !mail_no_perms (If using these rules, please recall to use visudo(8) to edit the sudoers(5) file.) Thanks to Sebastian Krahmer and Todd Miller for the fixes. Package names and locations: Precompiled binary packages for Immunix 7.0 are available at: http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/sudo-1.6.5p1-1_imnx.i386.rpm Source package for Immunix 7.0 is available at: http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/sudo-1.6.5p1-1_imnx.src.rpm Immunix OS 7.0 md5sums: 0e41c0231a226417cf0c5e0d009ac4fe RPMS/sudo-1.6.5p1-1_imnx.i386.rpm 2e21a908ad9a7f63ae604bb0a5058ba9 SRPMS/sudo-1.6.5p1-1_imnx.src.rpm GPG verification: Our public key is available at <http://wirex.com/security/GPG_KEY>. *** NOTE *** This key is different from the one used in advisories IMNX-2001-70-020-01 and earlier. Online version of all Immunix 6.2 updates and advisories: http://immunix.org/ImmunixOS/6.2/updates/ Online version of all Immunix 7.0-beta updates and advisories: http://immunix.org/ImmunixOS/7.0-beta/updates/ Online version of all Immunix 7.0 updates and advisories: http://immunix.org/ImmunixOS/7.0/updates/ NOTE: Ibiblio is graciously mirroring our updates, so if the links above are slow, please try: ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/ or one of the many mirrors available at: http://www.ibiblio.org/pub/Linux/MIRRORS.html ImmunixOS 6.2 is no longer officially supported. Contact information: To report vulnerabilities, please contact securityat_private WireX attempts to conform to the RFP vulnerability disclosure protocol <http://www.wiretrip.net/rfp/policy.html>.
This archive was generated by hypermail 2b30 : Thu Jan 17 2002 - 22:40:17 PST