5.316. sudo
An updated sudo package that fixes one security issue is now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root.
Security Fix
- CVE-2012-2337
- A flaw was found in the way the network matching code in sudo handled multiple IP networks listed in user specification configuration directives. A user, who is authorized to run commands with sudo on specific hosts, could use this flaw to bypass intended restrictions and run those commands on hosts not matched by any of the network specifications.
All users of sudo are advised to upgrade to this updated package, which contains a backported patch to correct this issue.
5.316.2. RHBA-2012:1142 — sudo bug fix update
Updated sudo packages that fix a bug are now available for Red Hat Enterprise Linux 6.
The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root.
Bug Fix
- BZ#840872
- Due to a regression, the suspend and resume actions of commands in sudo shell did not work properly. Consequently, the sudo shell could become unresponsive. A patch has been provided to address this issue and commands in sudo shell can now be suspended and resumed as expected.
Users of sudo are advised to upgrade to these updated packages, which fix this bug.
5.316.3. RHBA-2012:0905 — sudo bug fix update
Updated sudo packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.
The sudo packages provide the superuser do (sudo) utility, which allows system administrators to give certain users the ability to run commands as root.
Bug Fixes
- BZ#604297
- Previously, the "-c" check used a very restrictive policy and "visudo -s" treated unused aliases as errors. This update modifies this behavior and "visudo -s" only warns about unused aliases.
- BZ#667120
- Previously, core dumping in sudo was disabled in the code. Administrators could not control the core dumping. This update modifies the code so that core dumping is no any longer disabled. Now, administrators can control core dumping in sudo, which is a SUID binary, using the /proc/sys/fs/suid_dumpable file.
- BZ#697775
- Previously, the "sudoedit" used the wrong SELinux context when manipulating files. Files could not be edited when SELinux was in enforcing mode, if the sudoers rule specified a SELinux context that permitted sudoedit. This update modifies the code to permit a transition to the correct SELinux context. Now, files can be edited using the correct SELinux context.
- BZ#751680
- Previously, the alias checking code in sudo caused false negatives and positives. Syntactically correct sudoers files were declared to be erroneous and unused aliases were not detected. This update modifies the checking code to eliminate false positives and negatives.
- BZ#760843
- Previously, The nslcd service could not be started if the nscld.conf file contained sudo specific configuration directives. The nslcd daemon could not run while the LDAP sudoers sources were configured. This update uses the separate sudo-ldap config file for configuring LDAP sudoers sources.
- BZ#769701
- Previously, sudo could handle signals incorrectly if the SIGCHLD signal was received immediately before the select()call and the sudo process became unresponsive after receiving the SIGCHLD signal. This update modifies the underlying code to improve the signal handling.
- BZ#797511
- Previously, the getgrouplist() function checked the invoker's group membership instead of the membership of the specified user. As a Consequence, sudo listed privileges granted to any group the invoking user was a member of when attempting to view all allowed and forbidden commands both for the invoking user with the "-l" option and for users specified by the "-U" option. This update modifies the getgrouplist() function to correctly check the group membership of the intended user.
- BZ#806095
- Previously, sudo escaped non-aplhanumeric characters in commands using "sudo -s" or "sudo -" at the wrong place and interfered with the authorization process. Some valid commands were not permitted. Now, non-aplhanumeric characters escape immediately before the command is executed and no longer interfere with the authorization process.
- BZ#810147
- Previously, the sudo tool interpreted a Runas alias that specified a group incorrectly as a user alias. As a consequencee, the alias appeared to be ignored. This update modifies the code to interprete these aliases and the Runas group aliases are honored as expected.
- BZ#810326
- Previously, the sudo word wrapping feature caused output to be wrapped at terminal width boundary even in output that was piped to an other command. This update modifies the underlying code to detect whether the output is a pipe and disables the word wrapping feature in this case.
- BZ#810372
- Previously, the "tls_checkpeer" option was set on a handle that is not used when connecting to the Lightweight Directory Access Protocol (LDAP) server. The "tls_checkpeer" option could not be disabled. This update modifies the underlying code so that the option can now be disabled.
All users of sudo are advised to upgrade to this updated package, which fix these bugs.
5.316.4. RHBA-2013:0619 — sudo bug fix update
Updated sudo packages that fix one bug are now available for Red Hat Enterprise Linux 6 Extended Update Support.
The superuser do (Sudo) utility allows system administrators to give certain users the ability to run commands as root.
Bug Fix
- BZ#891593
- Previously, the sudo utility executed commands directly and replaced the sudo process. However, in a previous update, internal execution method of commands in sudo changed and sudo now runs commands as child processes. This change in behavior caused problems with custom scripts. This update adds the cmnd_no_wait option; with it, the old behavior is restored and commands are executed directly in the sudo process, thus fixing this bug.
Users of sudo are advised to upgrade to these updated packages, which fix this bug.