Critical sudo vulnerability

Hope we get a patch soon if not already done :slight_smile:

If this is a wrong area please move or modify this topic.

It has already been reported, but thanks for your concern anyway. :wink: :+1:

3 Likes

We will check and push it as needed.

2 Likes

The title is misleading

See https://seclists.org/oss-sec/2019/q4/18

Exploiting the bug requires that the user have sudo privileges that
allow them to run commands with an arbitrary user ID. Typically,
this means that the user's sudoers entry has the special value ALL
in the Runas specifier.

That means that Manjaro is not vulnerable out-of-the-box. The admin needs to create a sudoer entry for the malicious user first.

2 Likes

Good to know tho I'm a Linux noob anyway.

1 Like

Its not even that ... its that if you grant a user sudo access for everything except some things ( by using !thething in the sudoers file config) it can be usurped by trivially forcing the userID.

This doesnt have any real-world impact for virtually every normal system.

If you somehow relied on that mechanism for a specific multiuser setup and relied on that method of 'sudo but' .. then you are vulnerable to those users being able to execute those commands they shouldnt be able to by using this workaround.

Again - this isnt really a big issue for most home users.

[also .. I think the updated package is already in Unstable .. dont know about the rest]

5 Likes

Problem solved with sudo 1.8.28-0.

Package stable testing unstable
sudo 1.8.28-0 1.8.28-0 1.8.28-1

Source: https://manjaro32.org/repo-compare/

OT: @jonathon This Repo-compare tool is so good.

6 Likes

This was super fast! Thanks a lot to the Manjaro team for this fast update! :bowing_man:

2 Likes

And if you want to get really paranoid ... https://security.archlinux.org/advisory

1 Like

To be fair, this security vulnerability was not mentioned anywhere on Arch Linux security advisories/CVEs.

True, but that's not my point.

Just out of curiosity: I just had a little chat with another user and he claimed that security patches are being distributed before the press makes them public. The Ubuntu changelogs support this claim:
grafik

Is this true for Manjaro as well or how is the date in this changelog so much earlier (if its not an error)?

The commit that fixes this security issue has been published on October 10th, 2019. See this: https://www.sudo.ws/repos/sudo/rev/83db8dba09e7 .

sudo 1.8.28 was released on October 14th, 2019.

https://www.sudo.ws/news.html

So it would not be surprising that people in the security team of the various distributions got informed of the issue if they follow the news, mailing lists, development repo (Git, SVN, etc.) of different projects, or received something from the devs of the sudo project about this when the fix got published in their development repo, so it can be backported (in the case of fixed-release distros that will stick with whatever version of sudo they have).

1 Like

Forum kindly sponsored by