oss-sec mailing list archives
sudo: IP addresses in sudoers with netmask may match additional hosts (CVE-2012-2337)
From: Solar Designer <solar () openwall com>
Date: Fri, 18 May 2012 15:57:26 +0400
Hi, (I was hoping someone else would bring this in here once it became public.) A sudo advisory was published by upstream and corrected versions were released on 2012-05-16: http://www.sudo.ws/sudo/alerts/netmask.html "Summary: A flaw exists in the IP network matching code in sudo versions 1.6.9p3 through 1.8.4p4 that may result in the local host being matched even though it is not actually part of the network described by the IP address and associated netmask listed in the sudoers file or in LDAP. As a result, users authorized to run commands on certain IP networks may be able to run commands on hosts that belong to other networks not explicitly listed in sudoers. Sudo versions affected: Sudo versions 1.6.9p3 through 1.8.4p4 inclusive are affected. The bug only has an effect when the sudoers file (or LDAP sudoers data) using a host specification that grants permissions using an IP address with an associated netmask, e.g. 10.0.1.0/255.255.255.0 or 10.0.2.0/24." This is CVE-2012-2337. Red Hat Bugzilla entries: https://bugzilla.redhat.com/show_bug.cgi?id=820677 https://bugzilla.redhat.com/show_bug.cgi?id=822175 Ubuntu advisory: http://www.ubuntu.com/usn/usn-1442-1/ Debian tracking: http://security-tracker.debian.org/tracker/CVE-2012-2337 Alexander
Current thread:
- sudo: IP addresses in sudoers with netmask may match additional hosts (CVE-2012-2337) Solar Designer (May 18)
- Re: sudo: IP addresses in sudoers with netmask may match additional hosts (CVE-2012-2337) Jan Lieskovsky (May 18)