dherrenvt
Posts: 1
Joined: Fri Jan 29, 2021 4:56 pm

sudo bug? Update plans!

Fri Jan 29, 2021 5:00 pm

Greetings-

Like many I learned today about the apparently very old bug in sudo allowing any user to gain root status. Any plan on when the underlying OS will be updated? I appears the latest version on Raspberry PI OS is 1.8.27 (from Debian) and is vulnerable.

User avatar
B.Goode
Posts: 13218
Joined: Mon Sep 01, 2014 4:03 pm
Location: UK

Re: sudo bug? Update plans!

Fri Jan 29, 2021 5:06 pm

dherrenvt wrote:
Fri Jan 29, 2021 5:00 pm
Greetings-

Like many I learned today about the apparently very old bug in sudo allowing any user to gain root status. Any plan on when the underlying OS will be updated? I appears the latest version on Raspberry PI OS is 1.8.27 (from Debian) and is vulnerable.

Any citation or source for what you and many learnt today?

User avatar
DougieLawson
Posts: 41900
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: sudo bug? Update plans!

Fri Jan 29, 2021 5:10 pm

B.Goode wrote:
Fri Jan 29, 2021 5:06 pm
Any citation or source for what you and many learnt today?
https://www.debian.org/security/2021/dsa-4839

Should flow through to RaspiOS Buster in the very near future.

It's already fixed in Mint V20 and Ubuntu Groovy Gorilla which I run in a VirtualBox.
Languages using left-hand whitespace for syntax are ridiculous

DMs sent on Twitter/LinkedIn will be answered next month.
Fake doctors - are all on my foes list.

The use of crystal balls and mind reading is prohibited.

jdb
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 2660
Joined: Thu Jul 11, 2013 2:37 pm

Re: sudo bug? Update plans!

Fri Jan 29, 2021 5:12 pm

https://www.debian.org/security/2021/dsa-4839

It's already in apt. There is no version number change of the base program, but the package plus debian patches includes the fix.


sudo/stable,now 1.8.27-1+deb10u3 arm64 [installed]
Provide limited super user privileges to specific users

Running apt update && apt upgrade will pull in the fix.
Rockets are loud.
https://astro-pi.org

User avatar
B.Goode
Posts: 13218
Joined: Mon Sep 01, 2014 4:03 pm
Location: UK

Re: sudo bug? Update plans!

Fri Jan 29, 2021 5:17 pm

I am seeing, on an RPi2 running RasPiOS Buster -

Code: Select all

pi@raspberrypi:~/cov19 $ apt-cache policy sudo
sudo:
  Installed: 1.8.27-1+deb10u3
  Candidate: 1.8.27-1+deb10u3
  Version table:
 *** 1.8.27-1+deb10u3 500
        500 http://raspbian.raspberrypi.org/raspbian buster/main armhf Packages
        100 /var/lib/dpkg/status
pi@raspberrypi:~/cov19 $
Seems all is well... Nothing to see here... ?

HappyTux
Posts: 150
Joined: Mon Jan 18, 2021 8:13 pm

Re: sudo bug? Update plans!

Fri Jan 29, 2021 6:00 pm

sudo passwd root to set the root password and be done with it. Who would have thought all these years of going against the trend of lower security would be good for me. As no one is ever going to convince me that having to get two passwords to take over a machine is less secure than only one. As some have tried to with their black is white arguments for it, in favour of the reduced security sudo method. Theirs is just plain laziness on having to remember two passwords...

pidd
Posts: 2798
Joined: Fri May 29, 2020 8:29 pm
Location: Wirral, UK
Contact: Website

Re: sudo bug? Update plans!

Fri Jan 29, 2021 6:34 pm

HappyTux wrote:
Fri Jan 29, 2021 6:00 pm
Theirs is just plain laziness on having to remember two passwords...
Perhaps that may be true in your circumstances but not everybody's.

I probably have over 100 passwords, I probably use sudo over 50 times a day (many more on some days), I have a strong password for Pi (around about 20 characters).

Cracking two 10 character passwords is far easier than cracking one 20 character password.

wh7qq
Posts: 1574
Joined: Thu Oct 09, 2014 2:50 am

Re: sudo bug? Update plans!

Sat Jan 30, 2021 7:47 pm

Isn't it nice that Linux lets you have it either way? We don't (can't) lock our house when away, even on vacation...no need after 21 years...so it seems a good idea to utilize the password requirement.

debuti
Posts: 1
Joined: Sat Jan 30, 2021 9:39 pm

Re: sudo bug? Update plans!

Sat Jan 30, 2021 10:11 pm

Code: Select all

Last login: Sat Jan 30 21:31:12 2021 from 192.168.1.4
debuti@dwnldr:~ $ apt-get changelog sudo
Get:1 store: sudo 1.8.27-1+deb10u3 Changelog
Fetched 46.6 kB in 0s (0 B/s)
sudo (1.8.27-1+deb10u3) buster-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Sanity check size when converting the first record to TS_LOCKEXCL
  * Heap-based buffer overflow (CVE-2021-3156)
    - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit
    - Add sudoedit flag checks in plugin that are consistent with front-end
    - Fix potential buffer overflow when unescaping backslashes in user_args
    - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL
    - Don't assume that argv is allocated as a single flat buffer

 -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 20 Jan 2021 13:26:17 +0100



Return to “General discussion”