Activity log for bug #1512781
| Date | Who | What changed | Old value | New value | Message |
|---|---|---|---|---|---|
| 2015-11-03 16:35:04 | Dmitry Lapshin | bug | added bug | ||
| 2015-11-03 16:36:03 | Dmitry Lapshin | description | https://www.exploit-db.com/exploits/37710/ As descpribed in the link above, sudo versions lower or equal than 1.8.14 have a security issue: user with root access to a path with more than one wildcard can access forbidden files such as /etc/shadow, because sudoedit (sudo -e) does not verifiy full path of accessed file: (quote from link above) It seems that sudoedit does not check the full path if a wildcard is used twice (e.g. /home/*/*/file.txt), allowing a malicious user to replace the file.txt real file with a symbolic link to a different location (e.g. /etc/shadow). As an expample, 1. Give user `usr' right to edit some his files: usr ALL=(root) NOPASSWD: sudoedit /home/*/*/test.txt 2. Under usr, create ~/temp directory, and then create a symblink ~/temp/test.txt to /etc/shadow 3. Perform sudoedit ~/temp/test.txt - you will able to access /etc/shadow. What realease if affected: tested on all supported now Ubuntu versions. For personaly me, it's 14.04 LTS. What version is affected: as mentioned, all versions <=1.8.14. For personally me, it's 1.8.9.5 What was expected and happend instead: sudoedit should check full real path, but it didn't. | https://www.exploit-db.com/exploits/37710/ As descpribed in the link above, sudo versions lower or equal than 1.8.14 have a security issue: user with root access to a path with more than one wildcard can access forbidden files such as /etc/shadow, because sudoedit (sudo -e) does not verifiy full path of accessed file: (quote from link above) It seems that sudoedit does not check the full path if a wildcard is used twice (e.g. /home/*/*/file.txt), allowing a malicious user to replace the file.txt real file with a symbolic link to a different location (e.g. /etc/shadow). As an expample, 1. Give user `usr' right to edit some his files: usr ALL=(root) NOPASSWD: sudoedit /home/*/*/test.txt 2. Under usr, create ~/temp directory, and then create a symblink ~/temp/test.txt to /etc/shadow 3. Perform sudoedit ~/temp/test.txt - you will able to access /etc/shadow. What realease is affected: tested on all supported now Ubuntu versions. For personaly me, it's 14.04 LTS. What version is affected: as mentioned, all versions <=1.8.14. For personally me, it's 1.8.9p5 What was expected and happend instead: sudoedit should check full real path, but it didn't. | |
| 2015-11-03 16:36:31 | Dmitry Lapshin | summary | CVE-2015-5602 - Unauthorized Privilege | CVE-2015-5602 - Unauthorized Privilege Escalation | |
| 2015-11-03 16:51:23 | Marc Deslauriers | information type | Private Security | Public Security | |
| 2015-11-03 16:51:31 | Marc Deslauriers | nominated for series | Ubuntu Precise | ||
| 2015-11-03 16:51:31 | Marc Deslauriers | bug task added | sudo (Ubuntu Precise) | ||
| 2015-11-03 16:51:31 | Marc Deslauriers | nominated for series | Ubuntu Wily | ||
| 2015-11-03 16:51:31 | Marc Deslauriers | bug task added | sudo (Ubuntu Wily) | ||
| 2015-11-03 16:51:31 | Marc Deslauriers | nominated for series | Ubuntu Trusty | ||
| 2015-11-03 16:51:31 | Marc Deslauriers | bug task added | sudo (Ubuntu Trusty) | ||
| 2015-11-03 16:51:31 | Marc Deslauriers | nominated for series | Ubuntu Xenial | ||
| 2015-11-03 16:51:31 | Marc Deslauriers | bug task added | sudo (Ubuntu Xenial) | ||
| 2015-11-03 16:51:31 | Marc Deslauriers | nominated for series | Ubuntu Vivid | ||
| 2015-11-03 16:51:31 | Marc Deslauriers | bug task added | sudo (Ubuntu Vivid) | ||
| 2015-11-03 16:52:06 | Marc Deslauriers | sudo (Ubuntu Precise): status | New | Confirmed | |
| 2015-11-03 16:52:10 | Marc Deslauriers | sudo (Ubuntu Trusty): status | New | Confirmed | |
| 2015-11-03 16:52:12 | Marc Deslauriers | sudo (Ubuntu Vivid): status | New | Confirmed | |
| 2015-11-03 16:52:15 | Marc Deslauriers | sudo (Ubuntu Wily): status | New | Confirmed | |
| 2015-11-03 16:52:18 | Marc Deslauriers | sudo (Ubuntu Xenial): status | New | Confirmed | |
| 2015-11-03 17:46:08 | Seth Arnold | attachment added | o_nofollow.c https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1512781/+attachment/4512250/+files/o_nofollow.c | ||
| 2015-11-05 13:10:21 | Laurent Bigonville | cve linked | 2015-5602 | ||
| 2015-11-05 13:21:02 | Laurent Bigonville | bug watch added | http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804149 | ||
| 2015-11-05 13:21:02 | Laurent Bigonville | bug task added | sudo (Debian) | ||
| 2015-11-05 15:00:44 | Bug Watch Updater | sudo (Debian): status | Unknown | Confirmed | |
| 2015-11-05 22:55:35 | Marc Deslauriers | bug watch added | http://bugzilla.sudo.ws/show_bug.cgi?id=707 | ||
| 2015-11-05 22:55:35 | Marc Deslauriers | bug task added | sudo | ||
| 2016-01-19 18:11:28 | Bug Watch Updater | sudo (Debian): status | Confirmed | Fix Released | |
| 2016-03-08 21:50:16 | Simon Déziel | bug | added subscriber Simon Déziel | ||
| 2016-04-20 16:52:12 | Marc Deslauriers | sudo (Ubuntu Xenial): status | Confirmed | Fix Released | |
| 2021-10-14 02:24:45 | Steve Langasek | sudo (Ubuntu Precise): status | Confirmed | Won't Fix |
