Re: CVE assignment notification -- CVE-2010-0427 -- sudo fails to reset group permissions if runas_default set

[Jan Lieskovsky <jlieskov () redhat com>]

Hi Jamie,

  there are two sudo issues:
  a, CVE-2010-0426 sudoedit to allow to run arbitrary code
  b, CVE-2010-0427 sudo fails to reset cached groups, when
                    runas_default option set

Jamie Strandboge wrote:
> On Tue, 2010-02-23 at 17:17 +0100, Jan Lieskovsky wrote:
>
> Thanks for your investigation.
>
> >    b, v1.7.x based versions of sudo are not affected by this
> >       flaw due the differences in the way sudoers file is parsed.

  This comment speaks only about CVE-2010-0427 issue.
> This is in conflict with Todd's statement in his writeup:
> "Sudo versions affected:
> 1.6.9 through 1.7.2p3 inclusive.
> ...
> Fix:
> The bug is fixed in sudo 1.7.2p4 and 1.6.9p21"

  Above quotes from Todd are referring to CVE-2010-0426 issue (and these
  are valid).
> Upstream appears to have patched 1.7.2. Can you explain why it is not
> affected?

  But you mean CVE-2010-0426 here, right? For CVE-2010-0427 wrt to v1.7.x
  you can check reproducer in:

    http://www.gratisoft.us/bugzilla/show_bug.cgi?id=349

  that it isn't working against v1.7.x.

  I probably confused you with 'more about sudo "fails to reset group
  permissions if runas_default set" issue', when not saying this is
  different / new issue.

  Sorry for that.

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team