A major security flaw in sudo
-
Though it's not required for anything, sudo is installed by default on XCP-ng, and a major security issue was discovered in that tool: https://www.sudo.ws/alerts/unescape_overflow.html
We'll patch it shortly, but if for some reason you have local users besides root on your hosts, take it into consideration.
-
And take it in consideration in your linux VMs too, of course! (most distros already patched it)
-
An update candidate is available for testing. Really quick feedback would be much appreciated:
yum clean metadata --enablerepo=xcp-ng-testing yum update sudo --enablerepo=xcp-ng-testingNo reboot needed.
If you were using sudo, check that it still works. If you want to play with the security flaw, https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
Anyone besides myself confirming that the issue was reproducible and that it isn't anymore with the update package will be of great help.
-
@stormi Just did a quick test before and after installing the patch you supplied on one of my playlab hosts (XCP-ng 8.2 fully patched).
Before
sudoedit -s '\' `perl -e 'print "A" x 65536'`result in*** Error in `sudoedit': free(): invalid next size (fast): 0x00005633b9d5b130 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x81499)[0x7efdaf3f2499] /lib64/libc.so.6(__vasprintf_chk+0x144)[0x7efdaf489114] /lib64/libc.so.6(__asprintf_chk+0x82)[0x7efdaf488fc2] /lib64/libpam.so.0(+0x4ec1)[0x7efda7ec7ec1] /lib64/libpam.so.0(+0x5c83)[0x7efda7ec8c83] /lib64/libpam.so.0(+0x5b62)[0x7efda7ec8b62] /lib64/libpam.so.0(+0x6235)[0x7efda7ec9235] /lib64/libpam.so.0(pam_start+0x20b)[0x7efda7ecaa4b] /usr/libexec/sudo/sudoers.so(+0x8e88)[0x7efda835be88] /usr/libexec/sudo/sudoers.so(+0x7d61)[0x7efda835ad61] /usr/libexec/sudo/sudoers.so(+0x9f44)[0x7efda835cf44] /usr/libexec/sudo/sudoers.so(+0x1d04d)[0x7efda837004d] /usr/libexec/sudo/sudoers.so(+0x16c84)[0x7efda8369c84] sudoedit(+0x543f)[0x5633b924e43f] /lib64/libc.so.6(__libc_start_main+0xf5)[0x7efdaf393445] sudoedit(+0x6d8f)[0x5633b924fd8f]With patch applied, result is
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ...Same goes for
sudoedit -s /(did not record before / after), so the patch gives the expected results as described in the linked articels. Already see the respective patches on my Debian VMs as well. Thumbs up for swift reaction
-
Thanks again for helping on our test packages @gskger !
-
The update is now available for everyone https://xcp-ng.org/blog/2021/01/28/security-issue-in-sudo/
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login