RHBA-2012:0905 - Bug Fix Advisory

Topic

Updated sudo packages that fix multiple bugs are now available for Red Hat
Enterprise Linux 6.

Description

The sudo packages provide the superuser do (sudo) utility, which allows system
administrators to give certain users the ability to run commands as root.

This update fixes the following bugs:

• Previously, the "-c" check used a very restrictive policy and "visudo -s"

treated unused aliases as errors. This update modifies this behavior and "visudo

• s" only warns about unused aliases. (BZ#604297)
• Previously, core dumping in sudo was disabled in the code. Administrators

could not control the core dumping. This update modifies the code so that core
dumping is no any longer disabled. Now, administrators can control core dumping
in sudo, which is a SUID binary, using the /proc/sys/fs/suid_dumpable file.
(BZ#667120)

• Previously, the "sudoedit" used the wrong SELinux context when manipulating

files. Files could not be edited when SELinux was in enforcing mode, if the
sudoers rule specified a SELinux context that permitted sudoedit. This update
modifies the code to permit a transition to the correct SELinux context. Now,
files can be edited using the correct SELinux context. (BZ#697775)

• Previously, the alias checking code in sudo caused false negatives and

positives. Syntactically correct sudoers files were declared to be erroneous and
unused aliases were not detected. This update modifies the checking code to
eliminate false positives and negatives. (BZ#751680)

Previously, The nslcd service could not be started if the nscld.conf file
contained sudo specific configuration directives. The nslcd daemon could not run
while the LDAP sudoers sources were configured. This update uses the separate
sudo-ldap config file for configuring LDAP sudoers sources. (BZ#760843)

• Previously, sudo could handle signals incorrectly if the SIGCHLD signal was

received immediately before the select()call and the sudo process became
unresponsive after receiving the SIGCHLD signal. This update modifies the
underlying code to improve the signal handling. (BZ#769701)

• Previously, the getgrouplist() function checked the invoker's group membership

instead of the membership of the specified user. As a Consequence, sudo listed
privileges granted to any group the invoking user was a member of when
attempting to view all allowed and forbidden commands both for the invoking user
with the "-l" option and for users specified by the "-U" option. This update
modifies the getgrouplist() function to correctly check the group membership of
the intended user. (BZ#797511)

• Previously, sudo escaped non-aplhanumeric characters in commands using "sudo
• s" or "sudo -" at the wrong place and interfered with the authorization

process. Some valid commands were not permitted. Now, non-aplhanumeric
characters escape immediately before the command is executed and no longer
interfere with the authorization process. (BZ#806095)

• Previously, the sudo tool interpreted a Runas alias that specified a group

incorrectly as a user alias. As a consequencee, the alias appeared to be
ignored. This update modifies the code to interprete these aliases and the Runas
group aliases are honored as expected. (BZ#810147)

• Previously, the sudo word wrapping feature caused output to be wrapped at

terminal width boundary even in output that was piped to an other command. This
update modifies the underlying code to detect whether the output is a pipe and
disables the word wrapping feature in this case. (BZ#810326)

• Previously, the "tls_checkpeer" option was set on a handle that is not used

when connecting to the Lightweight Directory Access Protocol (LDAP) server. The
"tls_checkpeer" option could not be disabled. This update modifies the
underlying code so that the option can now be disabled. (BZ#810372)

All users of sudo are advised to upgrade to this updated package, which fix
these bugs.

Solution

Before applying this update, make sure all previously-released errata relevant
to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) 6 s390x

Fixes

• BZ - 697775 - AVCs and sudoedit: mkstemps: Permission denied
• BZ - 708515 - fails to build without downstream patches
• BZ - 726634 - sudoers(5) man page typo
• BZ - 736653 - README.LDAP is not updated with nslcd.conf
• BZ - 760843 - nslcd.conf incompatible with sudo config
• BZ - 797511 - "sudo -l -U user" may show incorrect privileges for specified user
• BZ - 806386 - Uninitialized return value in 'sudo' package.
• BZ - 810147 - The Runas_Spec are ignored in sudoers file
• BZ - 810326 - sudo -l inserts new lines based on terminal width, causing errors when output is piped.

CVEs

(none)

References

(none)