# Sudo vulnerability



## kpa (Jan 31, 2012)

Heads up, this one looks pretty serious, update ASAP.

http://www.vuxml.org/freebsd/7c920bb7-4b5f-11e1-9f47-00e0815b8da8.htm

More information:

http://seclists.org/fulldisclosure/2012/Jan/590


----------



## throAU (Jan 31, 2012)

Ouch.  none of my boxes have SSH/telnet open to the internet at all, but still, thats a pretty nasty bug.


----------



## SirDice (Jan 31, 2012)

Pretty serious indeed. What's even worse is the triviality of the bug itself.

A frigging format string bug in a security tool. Come on..


----------



## anomie (Jan 31, 2012)

Already saw the email from ports-mgmt/portaudit this morning, but this thread got me moving quicker.


----------



## throAU (Feb 1, 2012)

FYI - looks like 7.x and 8.x use Sudo 1.6.9p20.  Thus, they are unaffected.

eg:


```
%sudo -V
Sudo version 1.6.9p20
%uname -a
FreeBSD ns1.byrnecut.com.au 8.2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 27 18:45:57 UTC 2011     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
%
```


edit:
ack.  no maybe thats not right.  Sudo is a port, isn't it?  I remember now that i added sudo as a package on that box.  X.Y-RELEASE packages are updated regularly, or only the ports tree?


(above box is actually on 8.2p4, but there was no kernel change and i run stock binaries on that box...)


----------



## kpa (Feb 1, 2012)

security/sudo so yes it's a port and not part of the base OS. The newest version may have been 1.6.* at the time when 8.2 was released. However if you had updated installed ports/packages like you should have you would now have 1.8.* version installed.


----------



## SirDice (Feb 1, 2012)

throAU said:
			
		

> FYI - looks like 7.x and 8.x use Sudo 1.6.9p20.  Thus, they are unaffected.


All versions of FreeBSD use the same ports tree. They could therefor all have a vulnerable sudo installed. The version of the base OS is irrelevant in this case.



> X.Y-RELEASE packages are updated regularly, or only the ports tree?


The -RELEASE packages are _never_ updated. The -STABLE packages however are regularly rebuilt from a current ports tree.


----------



## kpa (Feb 1, 2012)

Just a notice, right now you can't update via binary packages. The ftp sites still have the old version 1.8.3_1. You must compile security/sudo using the ports(7) infrastructure.


----------

