Linux sudo flaw

Topic

New Reply

Over there on the “other” platform, Linux also needs to be updated this week. As bleepingcomputer notes, A now-fixed Sudo vulnerability allowed any lo
[See the full post at: Linux sudo flaw]

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Replies

Already fixed on Ubuntu and derivatives. The update is dated January 19, 2021, though I don’t know if that means it was packaged and released that day. It was already installed when I first saw the news and checked.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

OscarCP

Reply | Quote

@Ascaris that ties in with the CVE-2021-3156 record, given the time to notify and rectify the issue by developers of each distro.

Windows - commercial by definition and now function...

Reply | Quote

That’s for the CVE date, but the date I was referring to was the Ubuntu sudo update date. I am not sure if there is a gap between the date listed in the changelog and the date it was actually rolled out to end users.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

A little delay is normal for Ubuntu. Fedora updates are more swiftly rolled out to end users.

-- rc primak

Reply | Quote

[rc primak]

Already fixed on Ubuntu and derivatives.

Fedora as well.

-- rc primak

• This reply was modified 4 years, 2 months ago by rc primak.

Reply | Quote

This is an instructive caution about open source projects.  Just because the source code can be viewed, doesn’t necessarily mean that it is being reviewed.

On the other hand, once a flaw of this type is discovered, it’s something that can be fixed, and updates distributed relatively quickly. And for most major Linux distros, updates will show up in the various repositories, where they can quickly/easily be installed by normal package management processes.

Quite a bit of contrast from Microsoft, often having to wait until the next Patch Tuesday (and risk of problems with other updates being bundled), or Apple’s no-communication approach of simply releasing an update package when they decide they’re ready. Or for that matter, most Windows packages where there’s a variety of update mechanisms ranging from silent/automatic update to Help -> Check for Updates to the need to visit a developer’s website to manually download and install.

1 user thanked author for this post.

Fred

Reply | Quote

[rc primak]

Add to that Google’s own Android version of Linux, which often never gets updated on older devices.

-- rc primak

• This reply was modified 4 years, 2 months ago by rc primak.

Reply | Quote

? says:

thank you for the notice, Susan.

Commit Log for Tue Jan 26 15:00:08 2021
Upgraded the following packages:
sudo (1.8.31-1ubuntu1) to 1.8.31-1ubuntu1.2

and does windows have “kernel updates?”

Commit Log for Thu Jan 14 19:30:59 2021
Upgraded the following packages:
linux-generic-hwe-20.04 (5.8.0.36.40~20.04.21) to 5.8.0.38.43~20.04.23
linux-headers-generic-hwe-20.04 (5.8.0.36.40~20.04.21) to 5.8.0.38.43~20.04.23
linux-image-generic-hwe-20.04 (5.8.0.36.40~20.04.21) to 5.8.0.38.43~20.04.23

Installed the following packages:
linux-headers-5.8.0-38-generic (5.8.0-38.43~20.04.1)
linux-hwe-5.8-headers-5.8.0-38 (5.8.0-38.43~20.04.1)
linux-image-5.8.0-38-generic (5.8.0-38.43~20.04.1)
linux-modules-5.8.0-38-generic (5.8.0-38.43~20.04.1)
linux-modules-extra-5.8.0-38-generic (5.8.0-38.43~20.04.1)

thank you!

Reply | Quote

anonymous wrote:

and does windows have “kernel updates?”

Yes, but they’re usually not specifically named as such.

2 users thanked author for this post.

rc primak, Ascaris

Reply | Quote

Still Anonymous wrote:

This is an instructive caution about open source projects. Just because the source code can be viewed, doesn’t necessarily mean that it is being reviewed.

just a “little” hole for about 10 years,
https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt

* _ ... _ *

1 user thanked author for this post.

Cybertooth

Reply | Quote

I am the only “local user” on my Linux computer which stays in my home all the time.  Do I need to worry about this?  I use sudo once in awhile and it works just fine; will this update affect my ability to use sudo as I have in the past?

Being 20 something in the 70's was far more fun than being 70 something in the insane 20's

1 user thanked author for this post.

DrBonzo

Reply | Quote

The issue is only relevant to cases where there’s another user who is not supposed to be able to gain admin credentials.

Unfortunately any number of things callable from the network can qualify for that if they can be made to call sudo with arbitrary command line arguments.

And after the fix, sudo will work more correctly, though this only affects cases where you had things like file, directory or device names ending in a \ character that you’d use in sudo commands. (Remember, it’s not a path separator in Unix/Linux…)

5 users thanked author for this post.

rc primak, Cybertooth, Ascaris, Charlie, DrBonzo

Reply | Quote

So is this fix really necessary for cases like mine where I’m the only one using or even knows how to use sudo?  I’m just concerned about installing any update that I don’t need, and having it mess up something that currently works just fine.

Being 20 something in the 70's was far more fun than being 70 something in the insane 20's

2 users thanked author for this post.

OscarCP, DrBonzo

Reply | Quote

By the principle of defense in depth, you do want this fix.

Because if someone manages to be able to run shell commands as you some other way, say from a browser or email fault, they can get root credentials with this.

And also, if you manage to end up with… say, file names… ending in the \ character (it’s allowed in file names just fine in Unix/Linux), running without the fix is somewhat unsafe even in full isolation.

5 users thanked author for this post.

rc primak, Cybertooth, Charlie, OscarCP, DrBonzo

Reply | Quote

My Ubuntu 20.04 kernel was also upgraded yesterday.  Usually it is upgraded every two weeks, but this time it was one week.

Reply | Quote

This was a normal Update (Software Update) not necessarily needing a kernel update.

-- rc primak

Reply | Quote

Oh and this is really not limited to Linux.

While I haven’t seen any attempts at reproducing this on other operating systems, it’s not unlikely that sudo is affected across all of them.

Sudo runs on all the BSDs I believe, and MacOS, AIX, HP-UX (both hppa and Itanium), Solaris (i386, x86-64 and Sparc), … and a bunch of other things. Wouldn’t be surprised to find it on Juniper routers for example (JunOS looks very BSD-like), or any number of embedded or integrated systems – VxWorks is POSIX enough that having a sudo on the NASA Mars rovers is not at all impossible.

1 user thanked author for this post.

rc primak

Reply | Quote

How does  this work, given that “sudo”, by default, requires that the user enters the login password before being enabled to issue a line command with super user status?

https://superuser.com/questions/67765/sudo-with-password-in-one-command-line

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

DrBonzo

Reply | Quote

It works because sudo itself needs to run at elevated privileges to be able to grant privileges.

1 user thanked author for this post.

rc primak

Reply | Quote

mn- Without the user password?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Actually, password checking may not need elevated privileges. Didn’t on older systems, back before “shadow” passwords… and in low-security environments you might still find such configurations. Inadvisable unless you really can’t help it, but…

And… you know how sudo typically allows you to run a *second* command at elevated privileges without entering the password a second time if you’re quick enough? Yeah, that. It doesn’t stay in memory or anything, it just saves a marker in a file and checks that for time and session differences – and if those are good enough it elevates your privileges without asking for your password.

Yes, this means that if you know where that file goes and have the privileges to write there, you can bypass the password prompt. (Then again in that case you already seem to have pretty much all the privileges, so…)

1 user thanked author for this post.

rc primak

Reply | Quote

? says:

needs “root,” or elevated permission to run hence password required. my live distro doesn’t need evevated permission. you can go to your filesystem and search for “sudo,” then look at the file permission(s) to verify, or run ls -l in the terminal, see:

https://phoenixnap.com/kb/linux-file-permissions

1 user thanked author for this post.

rc primak

Reply | Quote

Well, from mn- and ? answers I gather that this might be a problem (so bad that nobody noticed it for nine years?) when: (1) there are multiple users in the same computer (and the bug in question might have a chance to make trouble) and, or (2) the distro of the Linux one is using is either very old, or the same one that ? uses and, or (3) one is exceptionally self-assured (always a problem) and, or (4) too laid-back between using “sudo” and doing something else … Then one might, just might, get into some kind of trouble. Or am I still missing (5) here?

In any case, I am starting to feel definitely better about this. And it is going to get patched anyway, if it hasn’t been already.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

rc primak

Reply | Quote

Do all you can to do for making sure your computers are updated, even Apple might have released an update for this. Since Mint is derived from Ubuntu you should have already been offered the patched sudo. Hey let some people you know this one is important. 🙂

2 users thanked author for this post.

rc primak, OscarCP

Reply | Quote

Updated my Linux Mint laptop last night along with Firefox and a couple other updates.  Everything is working well.

Being 20 something in the 70's was far more fun than being 70 something in the insane 20's

3 users thanked author for this post.

rc primak, OscarCP, DrBonzo

Reply | Quote

I updated 3 Mint 19.2 Cinnamon computers last night with FF 85, the 4.15.0-135 kernel, and the topic of this thread, the sudo patch. No issues.

Also did the same on an Ubuntu 18.04 LTS except that for some reason FF 85 didn’t come through the Updater. No issues.

1 user thanked author for this post.

OscarCP

Reply | Quote

It seems there has been a lot more Kernel updates in the past year.  I stopped at the 4.15.0-123 update because it had and has kept the lowest amount of Bugs (one).  I’ve checked and seen where newer Kernel updates have caused the finger pad and/or mouse to stop working, among other problems.

Are the Kernel updates that necessary and important?

Linux Mint Cinnamon 19.1

Being 20 something in the 70's was far more fun than being 70 something in the insane 20's

1 user thanked author for this post.

OscarCP

Reply | Quote

? says:

Charlie, for security. i use synaptic and set the repositories to “security only.” if you update through the terminal you can get security patches using:

apt-get -s dist-upgrade | grep “^Inst” | grep -i securi | awk -F ” ” {‘print $2’} | xargs sudo apt-get install

from the last comment in: “To update or not to update”
https://forums.linuxmint.com/viewtopic.php?f=47&t=300959&sid=85aba05e21be86f1d06fdae3db7a7d12&start=20

1 user thanked author for this post.

Charlie

Reply | Quote

Okay, but the Kernel updates I’m getting are coming through the Update Manager.  Are you referring to the Synaptic Package Manager?

Being 20 something in the 70's was far more fun than being 70 something in the insane 20's

Reply | Quote

? says:

yes, the last kernel came through the synaptic package manager on the 27th (for ubuntu 16.04):

Commit Log for Wed Jan 27 07:38:36 2021
Upgraded the following packages:
linux-generic (4.4.0.200.206) to 4.4.0.201.207
linux-headers-generic (4.4.0.200.206) to 4.4.0.201.207
linux-image-generic (4.4.0.200.206) to 4.4.0.201.207
linux-libc-dev (4.4.0-200.232) to 4.4.0-201.233

which is a security patch:

https://packages.ubuntu.com/xenial/linux-image-generic

(has “security,” at the tail end…

 

1 user thanked author for this post.

OscarCP

Reply | Quote

As often as not, kernel updates fix driver and feature issues. They may contain security changes, but these changes also usually get offered for existing kernels. You do not need to run the latest Linux kernel for your distro if all your Software Updates are up t o date.

In fact, running a too-recent (upstream) kernel can break things. That’s why there are fall-backs like Recovery Mode (Linux Safe Mode) and the OEM kernel in the Grub Menu. I have had an SD Card Reader which Fedora’s upstream kernels have broken from time to time. This is on a Chromebook. But other more mundane configurations can also break.

-- rc primak

1 user thanked author for this post.

OscarCP

Reply | Quote

rc primak wrote:

but these changes also usually get offered for existing kernels.

… and this is exactly what was discussed above – security patches for the 4.4, 4.15, and such kernels.

Upstream mainline is somewhere around 5.10 (released and umpteen patches on top of that already) / 5.11 (release candidates).

1 user thanked author for this post.

rc primak

Reply | Quote

Fedora is quite a bit different than the Ubuntu derivatives that most people use. Fedora will quite happily upgrade you to the latest kernel that has been released and remove the old ones, since it is only set to keep two previous versions. These new versions may well outpace any software you have that isn’t part of the Fedora distribution, as I found out when I was using Fedora (before I found the fix for KDE Connect, which KDE and Ubuntu had as yet not decided to fix). Fedora is known for its near bleeding edge update status.

Ubuntu is a lot more conservative, especially with the LTS versions (which many derivative distros, like Mint, use as their base). If you’re using a LTS kernel, like 4.15 or 5.4, it won’t automatically upgrade to a new kernel until the old one stops receiving updates, which won’t happen until 5 years have passed since the first release.

The releases within any one kernel version are bug fixes and backported security fixes, and it is usually a good idea to install them. Rarely, there is an issue with one of them that will make you want to go back, and it’s easy to do, as Ubuntu (and related) won’t delete the old ones by default as Fedora will. They’ll all still be there if you want them. All you have to do is choose the one you want at the GRUB menu (which will appear by default if you have more than one OS installed). You can then uninstall the old one and put a hold on further kernel updates if you wish.

If you want a newer kernel version, you can move to the HWE or HWE-Edge stacks, which are also used by newer releases of Ubuntu LTS versions and their descendants (for example, Ubuntu 20.04.2 uses the HWE stack, providing the 5.8 kernel rather than the 5.4 LTS kernel that came with the original 20.04).

The non-LTS kernel releases are supported for a shorter time than the| LTS kernel and will (if you have the HWE stack metapackage installed) automatically roll over to the next supported version only when Ubuntu stops support for the old one. At some point, Ubuntu will stop updating 5.8, and at that time the HWE stack will roll over to whatever the next HWE kernel is at that point (which will be the kernel version they decide to use for whatever the next Ubuntu release is at that point in time).  It won’t happen for every point release version as with Fedora, and is much slower in pace.

Kernel releases may sound scary, but they’re actually easier to revert than pretty much anything else if you don’t find the new one to be to your liking. You can, if you want, keep multiple kernels installed and boot to the one that suits what you are doing. I usually use 5.8 these days, but Veeam does not work with it, so I boot to 5.4 to use that.

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

2 users thanked author for this post.

OscarCP, rc primak

Reply | Quote

We don’t usually talk about it, but a lot of Windows Cumulative Updates contain kernel updates.

-- rc primak

Reply | Quote

? says:

i’m glad the sudo hole was repaired! just received another kernel patch through synaptic package manager for ubuntu:

Commit Log for Tue Feb  9 04:54:34 2021
nstalled the following packages:
linux-headers-5.8.0-43-generic (5.8.0-43.49~20.04.1)
linux-hwe-5.8-headers-5.8.0-43 (5.8.0-43.49~20.04.1)
linux-image-5.8.0-43-generic (5.8.0-43.49~20.04.1)
linux-modules-5.8.0-43-generic (5.8.0-43.49~20.04.1)
linux-modules-extra-5.8.0-43-generic (5.8.0-43.49~20.04.1)

and have the original 20.04 release kernel 5.4 onboard as well…

 

2 users thanked author for this post.

OscarCP, rc primak

Reply | Quote

Yep, those are the ones I got too. Autoremove will take out the less secure older kernels. If not, the process gets tedious, but Ubuntu Cleaner (Janitor) is one tool which makes Ubuntu kernel cleanups easier. Or you can bang out the whole process with the Synaptic Package Manager.

-- rc primak

Reply | Quote

? says:

thank you for your reply, rc. i usually keep the original kernel that ships with a ubuntu lts iso as a fall back because i’ve had updated kernels refuse to boot. please pardon my facetiousness concerning windows kernels having updates…

Reply | Quote