Update sudo, Potential bypass of Runas user restrictions

[Kulmbacher]

pls have a look at https://www.sudo.ws/alerts/minus_1_uid.html

Sudo versions prior to 1.8.28 are affected
sudo vers. MX 18.3, 1.18.19

[BitJam]

Thanks Kulmbacher!

It seems the vulnerability is that a user who is allowed to run commands as any user other than root can also run commands as root. I don't think this is significant for desktop systems like MX where the the main reason for using sudo is to allow a normal user to run commands as root. A proof of concept is:

Code: Select all

sudo "-u#-1" id -u

This should display -1 but it displays 0 showing that the id command was run as root. But on our systems we are allowed to run commands as root directly:

Code: Select all

sudo id -u

So this does not really affect us. It does not make our system less safe because, for us, it is not even a privilege escalation. We've had to react to a number of serious vulnerabilities ovef the past couple of years including Spectre, Meltdown and others. Thank goodness this is not another one.

[jackdanielsesq]

Thanks Bitjam

Saw this early this AM, now there appears to be a Deb update ?

Your advice, please Sir

Regards

Jack

So this does not really affect us. It does not make our system less safe because, for us, it is not even a privilege escalation. We've had to react to a number of serious vulnerabilities ovef the past couple of years including Spectre, Meltdown and others. Thank goodness this is not another one.

[asqwerth]

Debian is still providing support for Stretch until 2022.

[BitJam]

Keep calm and carry on. This vulnerability does not make a normal MX system less secure.

I'm glad Kulmbacher brought it to our attention because we have had some really terrible vulnerabilities not too long ago.

[Kulmbacher]

meanwhile i read this german article, (BitJam`s words ;-)
https://www.linux-magazin.de/news/siche ... e-in-sudo/

The first article i read, was a bit of sensationel Linux vulnerability version ...