CVE-2021-3156 vulnerability -- sudo upgrade

[sebastian-malin]

Hi,

yesterday I read about CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit) on
https://blog.qualys.com/vulnerabilit...-baron-samedit
According to this research "All legacy versions from 1.8.2 to 1.8.31p2" of sudo are vulnerable to this threat.

According to the sudo developers the vulnerability is fixed in stable release 1.9.5p2
https://www.sudo.ws/news.html

I am running Ubuntu Server 20.04.1 LTS and tried to update the sudo package.

apt list --installed returns:

sudo/focal-updates,focal-security,now 1.8.31-1ubuntu1.2 amd64

On the following website I found the information, which I am not sure I understand it right:
https://ubuntu.com/security/CVE-2021-3156
Does this mean the vulnerability is fixed by canonical (???) in the sudo 1.8.31-1ubuntu1.2 package?

After apt update && upgrade the cli command sudo --version returns:

Sudo version 1.8.31
Sudoers policy plugin version 1.8.31
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.31

Or do we have to wait for an update/upgrade of the LTS repository to sudo version 1.9.5p2?
As I want to stay on the LTS a dist upgrad to Ubuntu 21.04 (Hirsute Hippo) is not an option.

Kind Regards
Sebastian

[Impavidus]

See this thread: https://ubuntuforums.org/showthread.php?t=2457178

To see the version of the sudo package on your system, run

Code:

apt-cache policy sudo

[Holger_Gehrke]

There's an example of what happens on unpatched systems in the blog entry you link to:

Code:

sudoedit -s '\' `perl -e 'print "A" x 65536'`

should lead to a crash (of sudo, not of the whole system) with dumped core. On a patched system you'll get a notice on the legal options to sudoedit instead ('sudoedit' should be the same as 'sudo -e' and you should not be able to have both the '-e' and the '-s' option at the same time). On my XUbuntu 18.04 with the sudo package at 1.8.21p2-3ubuntu1.4 I get the notice, so a patch was applied - probably in the update I did yesterday. And 'sudo --version' still returns 'Sudo-Version 1.8.21p2', probably so that programs that parse the version don't get confused by the additional information ('-3ubuntu1.4').


Holger

[sebastian-malin]

Great, thanks a lot for the fast and helpful answers and the link.

EDIT: This seems to explain how such upgrades are deployed
https://askubuntu.com/questions/8912...een-backported

[ajgreeny]

There was an upgrade of sudo yesterday,
2021-01-26 21:44:05 upgrade sudo:amd64 1.8.31-1ubuntu1.1 1.8.31-1ubuntu1.2
so I wonder if it was a patch to deal with that vulnerability. I didn't look at the changelog so have no idea what it was; others may know a lot more.

EDIT:
Just noticed the link in Impavidus's post #2 which seems to suggest that it is now fixed by the upgrade.