Issued:
2012-06-20
Updated:
2012-06-20

RHBA-2012:0905 - sudo bug fix update

Synopsis

sudo bug fix update

Type/Severity

Bug Fix Advisory (none)

Topic

Updated sudo packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.

Description

The sudo packages provide the superuser do (sudo) utility, which allows system administrators to give certain users the ability to run commands as root.

This update fixes the following bugs:

  • Previously, the "-c" check used a very restrictive policy and "visudo -s" treated unused aliases as errors. This update modifies this behavior and "visudo -s" only warns about unused aliases. (BZ#604297)

  • Previously, core dumping in sudo was disabled in the code. Administrators could not control the core dumping. This update modifies the code so that core dumping is no any longer disabled. Now, administrators can control core dumping in sudo, which is a SUID binary, using the /proc/sys/fs/suid_dumpable file. (BZ#667120)

  • Previously, the "sudoedit" used the wrong SELinux context when manipulating files. Files could not be edited when SELinux was in enforcing mode, if the sudoers rule specified a SELinux context that permitted sudoedit. This update modifies the code to permit a transition to the correct SELinux context. Now, files can be edited using the correct SELinux context. (BZ#697775)

  • Previously, the alias checking code in sudo caused false negatives and positives. Syntactically correct sudoers files were declared to be erroneous and unused aliases were not detected. This update modifies the checking code to eliminate false positives and negatives. (BZ#751680)

Previously, The nslcd service could not be started if the nscld.conf file contained sudo specific configuration directives. The nslcd daemon could not run while the LDAP sudoers sources were configured. This update uses the separate sudo-ldap config file for configuring LDAP sudoers sources. (BZ#760843)

  • Previously, sudo could handle signals incorrectly if the SIGCHLD signal was received immediately before the select()call and the sudo process became unresponsive after receiving the SIGCHLD signal. This update modifies the underlying code to improve the signal handling. (BZ#769701)

  • Previously, the getgrouplist() function checked the invoker's group membership instead of the membership of the specified user. As a Consequence, sudo listed privileges granted to any group the invoking user was a member of when attempting to view all allowed and forbidden commands both for the invoking user with the "-l" option and for users specified by the "-U" option. This update modifies the getgrouplist() function to correctly check the group membership of the intended user. (BZ#797511)

  • Previously, sudo escaped non-aplhanumeric characters in commands using "sudo -s" or "sudo -" at the wrong place and interfered with the authorization process. Some valid commands were not permitted. Now, non-aplhanumeric characters escape immediately before the command is executed and no longer interfere with the authorization process. (BZ#806095)

  • Previously, the sudo tool interpreted a Runas alias that specified a group incorrectly as a user alias. As a consequencee, the alias appeared to be ignored. This update modifies the code to interprete these aliases and the Runas group aliases are honored as expected. (BZ#810147)

  • Previously, the sudo word wrapping feature caused output to be wrapped at terminal width boundary even in output that was piped to an other command. This update modifies the underlying code to detect whether the output is a pipe and disables the word wrapping feature in this case. (BZ#810326)

  • Previously, the "tls_checkpeer" option was set on a handle that is not used when connecting to the Lightweight Directory Access Protocol (LDAP) server. The "tls_checkpeer" option could not be disabled. This update modifies the underlying code so that the option can now be disabled. (BZ#810372)

All users of sudo are advised to upgrade to this updated package, which fix these bugs.

Solution

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258

Affected Products

ProductVersionArch
Red Hat Enterprise Linux for Scientific Computing6x86_64
Red Hat Enterprise Linux for Power, big endian6ppc64
Red Hat Enterprise Linux for IBM z Systems6s390x
Red Hat Enterprise Linux Workstation6x86_64
Red Hat Enterprise Linux Workstation6i386
Red Hat Enterprise Linux Server6x86_64
Red Hat Enterprise Linux Server6i386
Red Hat Enterprise Linux Server from RHUI6x86_64
Red Hat Enterprise Linux Server from RHUI6i386
Red Hat Enterprise Linux Server - Extended Life Cycle Support6x86_64
Red Hat Enterprise Linux Server - Extended Life Cycle Support6i386
Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension6x86_64
Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension6i386
Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems)6s390x
Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems)6s390x
Red Hat Enterprise Linux Desktop6x86_64
Red Hat Enterprise Linux Desktop6i386

Updated Packages

  • sudo-debuginfo-1.7.4p5-11.el6.x86_64.rpm
  • sudo-debuginfo-1.7.4p5-11.el6.s390x.rpm
  • sudo-debuginfo-1.7.4p5-11.el6.i686.rpm
  • sudo-1.7.4p5-11.el6.ppc64.rpm
  • sudo-1.7.4p5-11.el6.src.rpm
  • sudo-1.7.4p5-11.el6.i686.rpm
  • sudo-1.7.4p5-11.el6.x86_64.rpm
  • sudo-debuginfo-1.7.4p5-11.el6.ppc64.rpm
  • sudo-1.7.4p5-11.el6.s390x.rpm

Fixes

CVEs

(none)

References

(none)

Additional information