A major security flaw in sudo

stormi

Though it's not required for anything, sudo is installed by default on XCP-ng, and a major security issue was discovered in that tool: https://www.sudo.ws/alerts/unescape_overflow.html

We'll patch it shortly, but if for some reason you have local users besides root on your hosts, take it into consideration.

stormi

And take it in consideration in your linux VMs too, of course! (most distros already patched it)

stormi

An update candidate is available for testing. Really quick feedback would be much appreciated:

yum clean metadata --enablerepo=xcp-ng-testing
yum update sudo --enablerepo=xcp-ng-testing

No reboot needed.

If you were using sudo, check that it still works. If you want to play with the security flaw, https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit

Anyone besides myself confirming that the issue was reproducible and that it isn't anymore with the update package will be of great help.

gskger

@stormi Just did a quick test before and after installing the patch you supplied on one of my playlab hosts (XCP-ng 8.2 fully patched).

Before sudoedit -s '\' `perl -e 'print "A" x 65536'` result in

*** Error in `sudoedit': free(): invalid next size (fast): 0x00005633b9d5b130 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x81499)[0x7efdaf3f2499]
/lib64/libc.so.6(__vasprintf_chk+0x144)[0x7efdaf489114]
/lib64/libc.so.6(__asprintf_chk+0x82)[0x7efdaf488fc2]
/lib64/libpam.so.0(+0x4ec1)[0x7efda7ec7ec1]
/lib64/libpam.so.0(+0x5c83)[0x7efda7ec8c83]
/lib64/libpam.so.0(+0x5b62)[0x7efda7ec8b62]
/lib64/libpam.so.0(+0x6235)[0x7efda7ec9235]
/lib64/libpam.so.0(pam_start+0x20b)[0x7efda7ecaa4b]
/usr/libexec/sudo/sudoers.so(+0x8e88)[0x7efda835be88]
/usr/libexec/sudo/sudoers.so(+0x7d61)[0x7efda835ad61]
/usr/libexec/sudo/sudoers.so(+0x9f44)[0x7efda835cf44]
/usr/libexec/sudo/sudoers.so(+0x1d04d)[0x7efda837004d]
/usr/libexec/sudo/sudoers.so(+0x16c84)[0x7efda8369c84]
sudoedit(+0x543f)[0x5633b924e43f]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7efdaf393445]
sudoedit(+0x6d8f)[0x5633b924fd8f]
[...]

With patch applied, result is

usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ...

Same goes for sudoedit -s / (did not record before / after), so the patch gives the expected results as described in the linked articels. Already see the respective patches on my Debian VMs as well. Thumbs up for swift reaction

olivierlambert

Thanks again for helping on our test packages @gskger !

stormi

The update is now available for everyone https://xcp-ng.org/blog/2021/01/28/security-issue-in-sudo/