- This topic has 7 replies, 4 voices, and was last updated Feb 9-6:30 pm by stevesr0.
-
Posts
-
stevesr0
I understand there is an patch for a sudo exploit that allows LOCAL users to elevate their privileges to root for Debian based distros.
Although my home systems are unlikely to be attacked by people coming into my home, I am curious about the availability of patches that can be used on my antix-17 and antix-19 computers.
thanks.
stevesr0
Anonymous
If debian-security repo is enabled in your sources list (which should be the case, by default)
you should have already received the patched sudo package.
for antiX17 (debian stretch) it is —– 1.8.19p1-2.1+deb9u3
for antiX19 (debian buster) it is —– 1.8.27-1+deb10u3For future reference:
At debian’s security tracker website, here’s where you can check the status/availability
https://security-tracker.debian.org/trackerHi skidoo,
Thanks for the reference to check.
According to the tracker, both the antix-17 and the antix-19 versions ARE vulnerable.
Only the version in sid (1.9.5) is patched.
stevesr0
userzero
No.
https://security-tracker.debian.org/tracker/source-package/sudo
Start-Date: 2021-01-27 12:44:57 Commandline: apt dist-upgrade [...] sudo:amd64 (1.8.27-1+deb10u2, 1.8.27-1+deb10u3) [...] End-Date: 2021-01-27 12:47:22“For the “stable” distribution (buster), this problem has been fixed in version 1.8.27-1 + deb10u3″
https://www.debian.org/security/2021/dsa-4839
Debian 10.8
Xecure
Read skidoo’s post carefully.
If debian-security repo is enabled in your sources list (which should be the case, by default)
you should have already received the patched sudo package.As last time with freetype, you can see if your installed version is the patched version, with apt policy sudo. Skidoo already provided the package version:
for antiX17 (debian stretch) it is —– 1.8.19p1-2.1+deb9u3
for antiX19 (debian buster) it is —– 1.8.27-1+deb10u3And you can see it in the changelog of the installed package.
apt changelog sudo
For buster: https://metadata.ftp-master.debian.org/changelogs//main/s/sudo/sudo_1.8.27-1+deb10u3_changelogsudo (1.8.27-1+deb10u3) buster-security; urgency=high * Non-maintainer upload by the Security Team. * Sanity check size when converting the first record to TS_LOCKEXCL * Heap-based buffer overflow (CVE-2021-3156) - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit - Add sudoedit flag checks in plugin that are consistent with front-end - Fix potential buffer overflow when unescaping backslashes in user_args - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL - Don't assume that argv is allocated as a single flat buffer -- Salvatore Bonaccorso <carnil@debian.org> Wed, 20 Jan 2021 13:26:17 +0100As you can see, it has been patched since Wed, 20 Jan 2021.
Edit: ninja’d by userzero- This reply was modified 2 years, 3 months ago by Xecure. Reason: ninja got me first
antiX Live system enthusiast.
General Live Boot Parameters for antiX.Thanks folks for responses,
I was a bit confused. You folks are saying that CVE-2021-3156 is patched. That is correct. But I was looking at CVE-2021-23239 which I thought was the one at issue. Is that one inconsequential?
Parenthetically, I did follow skidoo’s instructions <g>. But you (Xecure), I am sure, are also correct; that I didn’t use the instructions you provided to me a while back when I posted a question about freetype. I will try to do better (humbly said).
And in the future, I will attempt to post the exact CVE to avoid confusing things.
stevesr0
I was looking at CVE-2021-23239 which I thought was the one at issue. Is that one inconsequential?
Good catch!
Due to its recency, I would not attempt to guess whether debian maintainers believe it to be inconsequential or just haven’t yet gotten ’round to issuing patched debfiles for the other suites. In case they do deem it to be inconsequential (I would agree that it is) but you would still prefer to have a patched version…I am curious about the availability of patches that can be used on my antix-17 and antix-19 computers.
you can view the v1.8x associated (Ubuntu) patchfile here:
https://www.sudo.ws/repos/sudo/rev/ea19d0073c02If you care to DIY debian’s latest (1.9.5p2-2), it does successfully build on antiX17.
http://deb.debian.org/debian/pool/main/s/sudo/sudo_1.9.5p2.orig.tar.gz
http://deb.debian.org/debian/pool/main/s/sudo/sudo_1.9.5p2-2.debian.tar.xz
(FYI, I only compiled & verified installable, didn’t take the time to install & test.)
- You must be logged in to reply to this topic.
