XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    A major security flaw in sudo

    News
    3
    6
    524
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stormiS
      stormi Vates πŸͺ XCP-ng Team πŸš€
      last edited by

      Though it's not required for anything, sudo is installed by default on XCP-ng, and a major security issue was discovered in that tool: https://www.sudo.ws/alerts/unescape_overflow.html

      We'll patch it shortly, but if for some reason you have local users besides root on your hosts, take it into consideration.

      1 Reply Last reply Reply Quote 1
      • stormiS
        stormi Vates πŸͺ XCP-ng Team πŸš€
        last edited by

        And take it in consideration in your linux VMs too, of course! (most distros already patched it)

        1 Reply Last reply Reply Quote 0
        • stormiS
          stormi Vates πŸͺ XCP-ng Team πŸš€
          last edited by

          An update candidate is available for testing. Really quick feedback would be much appreciated:

          yum clean metadata --enablerepo=xcp-ng-testing
yum update sudo --enablerepo=xcp-ng-testing

          No reboot needed.

          If you were using sudo, check that it still works. If you want to play with the security flaw, https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit

          Anyone besides myself confirming that the issue was reproducible and that it isn't anymore with the update package will be of great help.

          gskgerG 1 Reply Last reply Reply Quote 1
          • gskgerG
            gskger Top contributor πŸ’ͺ @stormi
            last edited by gskger

            @stormi Just did a quick test before and after installing the patch you supplied on one of my playlab hosts (XCP-ng 8.2 fully patched).

            Before sudoedit -s '\' `perl -e 'print "A" x 65536'` result in

            *** Error in `sudoedit': free(): invalid next size (fast): 0x00005633b9d5b130 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x81499)[0x7efdaf3f2499]
/lib64/libc.so.6(__vasprintf_chk+0x144)[0x7efdaf489114]
/lib64/libc.so.6(__asprintf_chk+0x82)[0x7efdaf488fc2]
/lib64/libpam.so.0(+0x4ec1)[0x7efda7ec7ec1]
/lib64/libpam.so.0(+0x5c83)[0x7efda7ec8c83]
/lib64/libpam.so.0(+0x5b62)[0x7efda7ec8b62]
/lib64/libpam.so.0(+0x6235)[0x7efda7ec9235]
/lib64/libpam.so.0(pam_start+0x20b)[0x7efda7ecaa4b]
/usr/libexec/sudo/sudoers.so(+0x8e88)[0x7efda835be88]
/usr/libexec/sudo/sudoers.so(+0x7d61)[0x7efda835ad61]
/usr/libexec/sudo/sudoers.so(+0x9f44)[0x7efda835cf44]
/usr/libexec/sudo/sudoers.so(+0x1d04d)[0x7efda837004d]
/usr/libexec/sudo/sudoers.so(+0x16c84)[0x7efda8369c84]
sudoedit(+0x543f)[0x5633b924e43f]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7efdaf393445]
sudoedit(+0x6d8f)[0x5633b924fd8f]
[...]

            With patch applied, result is

            usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ...

            Same goes for sudoedit -s / (did not record before / after), so the patch gives the expected results as described in the linked articels. Already see the respective patches on my Debian VMs as well. Thumbs up for swift reaction πŸ‘

            1 Reply Last reply Reply Quote 2
            • olivierlambertO
              olivierlambert Vates πŸͺ Co-Founder🦸 CEO πŸ§‘β€πŸ’Ό
              last edited by

              Thanks again for helping on our test packages @gskger !

              1 Reply Last reply Reply Quote 0
              • stormiS
                stormi Vates πŸͺ XCP-ng Team πŸš€
                last edited by

                The update is now available for everyone https://xcp-ng.org/blog/2021/01/28/security-issue-in-sudo/

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post