Red Hat 9043 Published by

Updated sudo packages are available for Red Hat Linux 7.3, 9, and Fedora Core 1

---------------------------------------------------------------------
Fedora Legacy Update Advisory

Synopsis: Updated sudo packages fix security issue
Advisory ID: FLSA:152856
Issue date: 2005-05-12
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CAN-2004-1051
---------------------------------------------------------------------


---------------------------------------------------------------------
1. Topic:

Updated sudo packages that fix a security issue are now available.

Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386



3. Problem description:

A flaw in exists in sudo's environment sanitizing prior to sudo version 1.6.8p2 that could allow a malicious user with permission to run a shell script that utilized the bash shell to run arbitrary commands. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1051 to this issue.

Users of sudo are advised to upgrade to these errata packages, which contain a patch correcting this issue.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs.

Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152856

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/sudo-1.6.5p2-2.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/sudo-1.6.5p2-2.2.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/sudo-1.6.6-3.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/sudo-1.6.6-3.2.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/sudo-1.6.7p5-2.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/sudo-1.6.7p5-2.2.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name
---------------------------------------------------------------------

19c703b635c9e4299d39b60d9cd16d750a4f6d89
redhat/7.3/updates/i386/sudo-1.6.5p2-2.2.legacy.i386.rpm
9225335d8ca64ca7e1cb1fd98a09a9821ab9b0d8
redhat/7.3/updates/SRPMS/sudo-1.6.5p2-2.2.legacy.src.rpm
73e1ce58ba8f6c211da4271d8f7a792aa01acba2
redhat/9/updates/i386/sudo-1.6.6-3.2.legacy.i386.rpm
4a9c1de46d43694ec94688cfc021ade0dc0b1678
redhat/9/updates/SRPMS/sudo-1.6.6-3.2.legacy.src.rpm
a990c5c070acd9ae8c50181487f2f9cdacb38378
fedora/1/updates/i386/sudo-1.6.7p5-2.2.legacy.i386.rpm
fe6b14daf1f5190e7d39625d6048bb415ba8851c
fedora/1/updates/SRPMS/sudo-1.6.7p5-2.2.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1051

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org