FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-29 07:54:42 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
018a84d0-2548-11df-b4a3-00e0815b8da8sudo -- Privilege escalation with sudoedit

Todd Miller reports:

When sudo performs its command matching, there is a special case for pseudo-commands in the sudoers file (currently, the only pseudo-command is sudoedit). Unlike a regular command, pseudo-commands do not begin with a slash ('/'). The flaw is that sudo's the matching code would only check against the list of pseudo-commands if the user-specified command also contained no slashes. As a result, if the user ran "sudo ./sudoedit" the normal matching code path was followed, which uses stat(2) to verify that the user-specified command matches the one in sudoers. In this case, it would compare the "./sudoedit" specified by the user with "sudoedit" from the sudoers file, resulting in a positive match.


Discovery 2010-01-29
Entry 2010-03-01
sudo
< 1.7.2.4

http://www.sudo.ws/pipermail/sudo-announce/2010-February/000092.html
http://www.sudo.ws/sudo/alerts/sudoedit_escalate.html
http://secunia.com/advisories/38659
CVE-2010-0426
38362
045944a0-6bca-11d9-aaa6-000a95bc6faesudo -- environmental variable CDPATH is not cleared

A sudo bug report says:

sudo doesn't unset the CDPATH variable, which leads to possible security problems.


Discovery 2004-10-18
Entry 2005-01-21
Modified 2013-06-19
sudo
< 1.6.8.4

http://www.sudo.ws/bugs/show_bug.cgi?id=155
http://www.sudo.ws/pipermail/sudo-announce/2004-November/000044.html
13d6d997-f455-11dd-8516-001b77d09812sudo -- certain authorized users could run commands as any user

Todd Miller reports:

A bug was introduced in Sudo's group matching code in version 1.6.9 when support for matching based on the supplemental group vector was added. This bug may allow certain users listed in the sudoers file to run a command as a different user than their access rule specifies.


Discovery 2009-02-04
Entry 2009-02-06
sudo
ge 1.6.9 lt 1.6.9.20

33517
CVE-2009-0034
http://www.gratisoft.us/pipermail/sudo-announce/2009-February/000085.html
1a9f678d-48ca-11df-85f8-000c29a67389sudo -- Privilege escalation with sudoedit

Todd Miller reports:

Sudo's command matching routine expects actual commands to include one or more slash ('/') characters. The flaw is that sudo's path resolution code did not add a "./" prefix to commands found in the current working directory. This creates an ambiguity between a "sudoedit" command found in the cwd and the "sudoedit" pseudo-command in the sudoers file. As a result, a user may be able to run an arbitrary command named "sudoedit" in the current working directory. For the attack to be successful, the PATH environment variable must include "." and may not include any other directory that contains a "sudoedit" command.


Discovery 2010-04-09
Entry 2010-04-15
sudo
< 1.7.2.6

CVE-2010-1163
http://www.sudo.ws/pipermail/sudo-announce/2010-April/000093.html
http://www.sudo.ws/sudo/alerts/sudoedit_escalate2.html
1b725079-9ef6-11da-b410-000e0c2e438asudo -- arbitrary command execution

Tavis Ormandy reports:

The bash shell uses the value of the PS4 environment variable (after expansion) as a prefix for commands run in execution trace mode. Execution trace mode (xtrace) is normally set via bash's -x command line option or interactively by running "set -o xtrace". However, it may also be enabled by placing the string "xtrace" in the SHELLOPTS environment variable before bash is started.

A malicious user with sudo access to a shell script that uses bash can use this feature to run arbitrary commands for each line of the script.


Discovery 2005-10-25
Entry 2006-02-16
sudo
< 1.6.8.10

15191
CVE-2005-2959
http://www.courtesan.com/sudo/alerts/bash_env.html
2e4fbc9a-9d23-11e6-a298-14dae9d210b8sudo -- Potential bypass of sudo_noexec.so via wordexp()

Todd C. Miller reports:

A flaw exists in sudo's noexec functionality that may allow a user with sudo privileges to run additional commands even when the NOEXEC tag has been applied to a command that uses the wordexp() function.


Discovery 2016-10-28
Entry 2016-10-28
sudo
ge 1.6.8 lt 1.8.18p1

https://www.sudo.ws/alerts/noexec_wordexp.html
CVE-2016-7076
2e8cdd36-c3cc-11e5-b5fe-002590263bf5sudo -- potential privilege escalation via symlink misconfiguration

MITRE reports:

sudoedit in Sudo before 1.8.15 allows local users to gain privileges via a symlink attack on a file whose full path is defined using multiple wildcards in /etc/sudoers, as demonstrated by "/home/*/*/file.txt."


Discovery 2015-11-17
Entry 2016-01-26
sudo
< 1.8.15

CVE-2015-5602
ports/206590
https://www.exploit-db.com/exploits/37710/
https://bugzilla.sudo.ws/show_bug.cgi?id=707
http://www.sudo.ws/stable.html#1.8.15
3310014a-5ef9-11ed-812b-206a8a720317sudo -- Potential out-of-bounds write for small passwords

SO-AND-SO reports:

Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to sudo by entering a password of seven characters or fewer. The impact could vary depending on the system libraries, compiler, and processor architecture.


Discovery 2022-11-07
Entry 2022-11-07
sudo
ge 1.8.0 lt 1.9.12p1

CVE-2022-43995
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43995
3a1474ba-f646-11e9-b0af-b888e347c638sudo -- Potential bypass of Runas user restrictions

Todd C. Miller reports:

When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.

This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification.

Log entries for commands run this way will list the target user as 4294967295 instead of root. In addition, PAM session modules will not be run for the command.


Discovery 2019-10-15
Entry 2019-10-24
sudo
< 1.8.28

https://www.sudo.ws/alerts/minus_1_uid.html
CVE-2019-14287
3bf157fa-e1c6-11d9-b875-0001020eed82sudo -- local race condition vulnerability

Todd C. Miller reports:

A race condition in Sudo's command pathname handling prior to Sudo version 1.6.8p9 that could allow a user with Sudo privileges to run arbitrary commands.

Exploitation of the bug requires that the user be allowed to run one or more commands via Sudo and be able to create symbolic links in the filesystem. Furthermore, a sudoers entry giving another user access to the ALL pseudo-command must follow the user's sudoers entry for the race to exist.


Discovery 2005-06-20
Entry 2005-06-20
Modified 2005-11-14
sudo
< 1.6.8.9

13993
CVE-2005-1993
http://marc.theaimsgroup.com/?l=bugtraq&m=111928183431376
6193b3f6-548c-11eb-ba01-206a8a720317sudo -- Potential information leak in sudoedit

Todd C. Miller reports:

A potential information leak in sudoedit that could be used to test for the existence of directories not normally accessible to the user in certain circumstances. When creating a new file, sudoedit checks to make sure the parent directory of the new file exists before running the editor. However, a race condition exists if the invoking user can replace (or create) the parent directory. If a symbolic link is created in place of the parent directory, sudoedit will run the editor as long as the target of the link exists.If the target of the link does not exist, an error message will be displayed. The race condition can be used to test for the existence of an arbitrary directory. However, it _cannot_ be used to write to an arbitrary location.


Discovery 2021-01-11
Entry 2021-01-11
sudo
< 1.9.5

https://www.sudo.ws/stable.html#1.9.5
CVE-2021-23239
67b514c3-ba8f-11df-8f6e-000c29a67389sudo -- Flaw in Runas group matching

Todd Miller reports:

Beginning with sudo version 1.7.0 it has been possible to grant permission to run a command using a specified group via sudo -g option (run as group). A flaw exists in the logic that matches Runas groups in the sudoers file when the -u option is also specified (run as user). This flaw results in a positive match for the user specified via -u so long as the group specified via -g is allowed by the sudoers file.

Exploitation of the flaw requires that Sudo be configured with sudoers entries that contain a Runas group. Entries that do not contain a Runas group, or only contain a Runas user are not affected.


Discovery 2010-09-07
Entry 2010-09-07
sudo
ge 1.7.0 lt 1.7.4.4

CVE-2010-2956
http://www.sudo.ws/sudo/alerts/runas_group.html
764344fb-8214-11e2-9273-902b343deec9sudo -- Authentication bypass when clock is reset

Todd Miller reports:

The flaw may allow someone with physical access to a machine that is not password-protected to run sudo commands without knowing the logged in user's password. On systems where sudo is the principal way of running commands as root, such as on Ubuntu and Mac OS X, there is a greater chance that the logged in user has run sudo before and thus that an attack would succeed.


Discovery 2013-02-27
Entry 2013-03-01
sudo
< 1.8.6.p7

CVE-2013-1775
http://www.sudo.ws/sudo/alerts/epoch_ticket.html
7c920bb7-4b5f-11e1-9f47-00e0815b8da8sudo -- format string vulnerability

Todd Miller reports:

Sudo 1.8.0 introduced simple debugging support that was primarily intended for use when developing policy or I/O logging plugins. The sudo_debug() function contains a flaw where the program name is used as part of the format string passed to the fprintf() function. The program name can be controlled by the caller, either via a symbolic link or, on some systems, by setting argv[0] when executing sudo.

Using standard format string vulnerability exploitation techniques it is possible to leverage this bug to achieve root privileges.

Exploitation of the bug does not require that the attacker be listed in the sudoers file. As such, we strongly suggest that affected sites upgrade from affected sudo versions as soon as possible.


Discovery 2012-01-30
Entry 2012-01-30
Modified 2012-01-31
sudo
ge 1.8.0 lt 1.8.3_2

CVE-2012-0809
http://www.gratisoft.us/sudo/alerts/sudo_debug.html
82cfd919-8213-11e2-9273-902b343deec9sudo -- Potential bypass of tty_tickets constraints

Todd Miller reports:

A (potentially malicious) program run by a user with sudo access may be able to bypass the "tty_ticket" constraints. In order for this to succeed there must exist on the machine a terminal device that the user has previously authenticated themselves on via sudo within the last time stamp timeout (5 minutes by default).


Discovery 2013-02-27
Entry 2013-03-01
sudo
< 1.8.6.p7

CVE-2013-1776
http://www.sudo.ws/sudo/alerts/tty_tickets.html
908f4cf2-1e8b-11e0-a587-001b77d09812sudo -- local privilege escalation

Todd Miller reports:

Beginning with sudo version 1.7.0 it has been possible to grant permission to run a command using a specified group via sudo's -g option (run as group), if allowed by the sudoers file. A flaw exists in sudo's password checking logic that allows a user to run a command with only the group changed without being prompted for a password.


Discovery 2011-01-11
Entry 2011-01-13
sudo
ge 1.7.0 lt 1.7.4.5

CVE-2011-0010
http://www.sudo.ws/sudo/alerts/runas_group_pw.html
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609641
a268ef4a-0b35-11d9-8a8a-000c41e2cdadsudo -- sudoedit information disclosure

A new feature of sudo 1.6.8 called "sudoedit" (a safe editing facility) may allow users to read files to which they normally have no access.


Discovery 2004-09-18
Entry 2004-09-20
sudo
eq 1.6.8

http://www.sudo.ws/sudo/alerts/sudoedit.html
b3435b68-9ee8-11e1-997c-002354ed89bcsudo -- netmask vulnerability

Todd Miller reports:

Sudo supports granting access to commands on a per-host basis. The host specification may be in the form of a host name, a netgroup, an IP address, or an IP network (an IP address with an associated netmask).

When IPv6 support was added to sudo, a bug was introduced that caused the IPv6 network matching code to be called when an IPv4 network address does not match. Depending on the value of the uninitialized portion of the IPv6 address, it is possible for the IPv4 network number to match when it should not. This bug only affects IP network matching and does not affect simple IP address matching.

The reported configuration that exhibited the bug was an LDAP-based sudo installation where the sudoRole object contained multiple sudoHost entries, each containing a different IPv4 network. File-based sudoers should be affected as well as the same matching code is used.


Discovery 2012-05-16
Entry 2012-05-16
sudo
le 1.8.4_1

CVE-2012-2337
http://www.sudo.ws/sudo/alerts/netmask.html
b4e5f782-442d-11ea-9ba9-206a8a720317sudo -- Potential bypass of Runas user restrictions

Todd C. Miller reports:

Sudo's pwfeedback option can be used to provide visual feedback when the user is inputting their password. For each key press, an asterisk is printed. This option was added in response to user confusion over how the standard Password: prompt disables the echoing of key presses. While pwfeedback is not enabled by default in the upstream version of sudo, some systems, such as Linux Mint and Elementary OS, do enable it in their default sudoers files.

Due to a bug, when the pwfeedback option is enabled in the sudoers file, a user may be able to trigger a stack-based buffer overflow. This bug can be triggered even by users not listed in the sudoers file. There is no impact unless pwfeedback has been enabled.


Discovery 2020-01-30
Entry 2020-01-30
sudo
< 1.8.31

https://www.sudo.ws/alerts/pwfeedback.html
CVE-2019-18634
bdd1537b-354c-11d9-a9e7-0001020eed82sudo -- privilege escalation with bash scripts

A Sudo Security Alerts reports:

A flaw in exists in sudo's environment sanitizing prior to sudo version 1.6.8p2 that could allow a malicious user with permission to run a shell script that utilized the bash shell to run arbitrary commands.


Discovery 2004-11-11
Entry 2004-11-13
sudo
< 1.6.8.2

http://www.courtesan.com/sudo/alerts/bash_functions.html
d42e5b66-6ea0-11df-9c8d-00e0815b8da8sudo -- Secure path vulnerability

Todd Miller reports:

Most versions of the C library function getenv() return the first instance of an environment variable to the caller. However, some programs, notably the GNU Bourne Again SHell (bash), do their own environment parsing and may choose the last instance of a variable rather than the first one.

An attacker may manipulate the environment of the process that executes Sudo such that a second PATH variable is present. When Sudo runs a bash script, it is this second PATH variable that is used by bash, regardless of whether or not Sudo has overwritten the first instance of PATH. This may allow an attacker to subvert the program being run under Sudo and execute commands he/she would not otherwise be allowed to run.


Discovery 2010-06-02
Entry 2010-06-02
sudo
< 1.7.2.7

CVE-2010-1646
http://sudo.ws/sudo/alerts/secure_path.html
f3cf4b33-6013-11eb-9a0e-206a8a720317sudo -- Multiple vulnerabilities

Todd C. Miller reports:

When invoked as sudoedit, the same set of command line options are now accepted as for sudo -e. The -H and -P options are now rejected for sudoedit and sudo -e which matches the sudo 1.7 behavior. This is part of the fix for CVE-2021-3156.

Fixed a potential buffer overflow when unescaping backslashes in the command's arguments. Normally, sudo escapes special characters when running a command via a shell (sudo -s or sudo -i). However, it was also possible to run sudoedit with the -s or -i flags in which case no escaping had actually been done, making a buffer overflow possible. This fixes CVE-2021-3156.


Discovery 2021-01-26
Entry 2021-01-26
sudo
< 1.9.5p2

https://www.sudo.ws/stable.html#1.9.5p2
CVE-2021-3156