A major security flaw in sudo
Though it's not required for anything, sudo is installed by default on XCP-ng, and a major security issue was discovered in that tool: https://www.sudo.ws/alerts/unescape_overflow.html
We'll patch it shortly, but if for some reason you have local users besides root on your hosts, take it into consideration.
And take it in consideration in your linux VMs too, of course! (most distros already patched it)
An update candidate is available for testing. Really quick feedback would be much appreciated:
yum clean metadata --enablerepo=xcp-ng-testing yum update sudo --enablerepo=xcp-ng-testing
No reboot needed.
If you were using sudo, check that it still works. If you want to play with the security flaw, https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
Anyone besides myself confirming that the issue was reproducible and that it isn't anymore with the update package will be of great help.
gskger last edited by gskger
@stormi Just did a quick test before and after installing the patch you supplied on one of my playlab hosts (XCP-ng 8.2 fully patched).
sudoedit -s '\' `perl -e 'print "A" x 65536'`result in
*** Error in `sudoedit': free(): invalid next size (fast): 0x00005633b9d5b130 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x81499)[0x7efdaf3f2499] /lib64/libc.so.6(__vasprintf_chk+0x144)[0x7efdaf489114] /lib64/libc.so.6(__asprintf_chk+0x82)[0x7efdaf488fc2] /lib64/libpam.so.0(+0x4ec1)[0x7efda7ec7ec1] /lib64/libpam.so.0(+0x5c83)[0x7efda7ec8c83] /lib64/libpam.so.0(+0x5b62)[0x7efda7ec8b62] /lib64/libpam.so.0(+0x6235)[0x7efda7ec9235] /lib64/libpam.so.0(pam_start+0x20b)[0x7efda7ecaa4b] /usr/libexec/sudo/sudoers.so(+0x8e88)[0x7efda835be88] /usr/libexec/sudo/sudoers.so(+0x7d61)[0x7efda835ad61] /usr/libexec/sudo/sudoers.so(+0x9f44)[0x7efda835cf44] /usr/libexec/sudo/sudoers.so(+0x1d04d)[0x7efda837004d] /usr/libexec/sudo/sudoers.so(+0x16c84)[0x7efda8369c84] sudoedit(+0x543f)[0x5633b924e43f] /lib64/libc.so.6(__libc_start_main+0xf5)[0x7efdaf393445] sudoedit(+0x6d8f)[0x5633b924fd8f] [...]
With patch applied, result is
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ...
Same goes for
sudoedit -s /(did not record before / after), so the patch gives the expected results as described in the linked articels. Already see the respective patches on my Debian VMs as well. Thumbs up for swift reaction
Thanks again for helping on our test packages @gskger !
The update is now available for everyone https://xcp-ng.org/blog/2021/01/28/security-issue-in-sudo/