Issue 715506 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	vapier@chromium.org
Closed:	Apr 2017
Cc:	jorgelo@chromium.org
Components:	OS>Packages
EstimatedDays:	----
NextAction:	----
OS:	Chrome
Pri:	1
Type:	Bug-Security
Vomit Security_Impact-Stable Security_Severity-Medium allpublic VerifyIn-61

CrOS: Vulnerability reported in app-admin/sudo

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, Apr 26 2017

Issue description

Automated analysis has detected that the following third party packages have had vulnerabilities publicly reported. 

NOTE: There may be several bugs listed below - in almost all cases, all bugs can be quickly addressed by upgrading to the latest version of the package.

Package Name: app-admin/sudo
Package Version: [cpe:/a:todd_miller:sudo:1.8.12]

Advisory: CVE-2016-7032
  Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2016-7032
  CVSS severity score: 6.9/10.0
  Confidence: high
  Description:

sudo_noexec.so in Sudo before 1.8.15 on Linux might allow local users to bypass intended noexec command restrictions via an application that calls the (1) system or (2) popen function.

Comment 1 by mmoroz@chromium.org, Apr 26 2017

Components: OS>Packages
Labels: Security_Severity-Medium Security_Impact-Stable

Comment 2 by mmoroz@chromium.org, Apr 26 2017

Owner: jorgelo@chromium.org
Status: Available (was: Untriaged)

jorgelo@, could you please help to find an owner?

Comment 3 by jorgelo@chromium.org, Apr 26 2017

Cc: vapier@chromium.org

Mike, any idea if newer sudos are available in portage-stable?

Comment 4 by jorgelo@chromium.org, Apr 26 2017

Cc: -vapier@chromium.org jorgelo@chromium.org
Owner: vapier@chromium.org
Status: Started (was: Available)

Assigning to Mike since he's doing the work.

Project Member

Comment 5 by bugdroid1@chromium.org, Apr 26 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/portage-stable/+/91506d3590a983f9a8b0de97d571051fad303a4a

commit 91506d3590a983f9a8b0de97d571051fad303a4a
Author: Mike Frysinger <vapier@chromium.org>
Date: Wed Apr 26 23:19:51 2017

sudo: upgrade to 1.8.19_p2

BUG= chromium:715506 
TEST=precq passes

Change-Id: I8e9c09d9320d0c126c053467fae04d9642be159d
Reviewed-on: https://chromium-review.googlesource.com/488181
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>

[modify] https://crrev.com/91506d3590a983f9a8b0de97d571051fad303a4a/app-admin/sudo/Manifest
[modify] https://crrev.com/91506d3590a983f9a8b0de97d571051fad303a4a/app-admin/sudo/metadata.xml
[rename] https://crrev.com/91506d3590a983f9a8b0de97d571051fad303a4a/app-admin/sudo/sudo-1.8.19_p2.ebuild

Comment 6 by vapier@chromium.org, Apr 27 2017

Status: Fixed (was: Started)

i don't think we need to backport.  sudo doesn't allow any non-root user to run in verified mode, and in non-verified mode, we explicitly allow chronos to do anything.

Project Member

Comment 7 by sheriffbot@chromium.org, Apr 27 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Project Member

Comment 8 by sheriffbot@chromium.org, Aug 3 2017

Labels: -Restrict-View-SecurityNotify allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 by dchan@chromium.org, Aug 12 2017

Labels: VerifyIn-61

Comment 10 by dchan@chromium.org, Jan 22 2018

Status: Archived (was: Fixed)

Comment 11 by vapier@chromium.org, Jun 21 2018

Status: Fixed (was: Archived)

Project Member

Comment 12 by sheriffbot@chromium.org, Jul 28

Labels: -Pri-2 Pri-1

►

Issue 715506 link

Issue metadata

CrOS: Vulnerability reported in app-admin/sudo

Issue description

Comment 1 by mmoroz@chromium.org, Apr 26 2017

Comment 1 Deleted

Comment 2 by mmoroz@chromium.org, Apr 26 2017

Comment 2 Deleted

Comment 3 by jorgelo@chromium.org, Apr 26 2017

Comment 3 Deleted

Comment 4 by jorgelo@chromium.org, Apr 26 2017

Comment 4 Deleted

Comment 5 by bugdroid1@chromium.org, Apr 26 2017

Comment 5 Deleted

Comment 6 by vapier@chromium.org, Apr 27 2017

Comment 6 Deleted

Comment 7 by sheriffbot@chromium.org, Apr 27 2017

Comment 7 Deleted

Comment 8 by sheriffbot@chromium.org, Aug 3 2017

Comment 8 Deleted

Comment 9 by dchan@chromium.org, Aug 12 2017

Comment 9 Deleted

Comment 10 by dchan@chromium.org, Jan 22 2018

Comment 10 Deleted

Comment 11 by vapier@chromium.org, Jun 21 2018

Comment 11 Deleted

Comment 12 by sheriffbot@chromium.org, Jul 28

Comment 12 Deleted

Sign in to add a comment