Re: sudo: IP addresses in sudoers with netmask may match additional hosts (CVE-2012-2337)

[Jan Lieskovsky <jlieskov () redhat com>]

Hi Solar,

On 05/18/2012 01:57 PM, Solar Designer wrote:
> Hi,
>
> (I was hoping someone else would bring this in here once it became public.)

Yes, my fault (Thought not to forget to do so on Wednesday, but
got distracted by something else, and in the end it resulted me not to
send it completely :().

Apologize for that and thank you for sending it.

Will do better job next time.

Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

> A sudo advisory was published by upstream and corrected versions were
> released on 2012-05-16:
>
> http://www.sudo.ws/sudo/alerts/netmask.html
>
> "Summary:
> A flaw exists in the IP network matching code in sudo versions 1.6.9p3
> through 1.8.4p4 that may result in the local host being matched even
> though it is not actually part of the network described by the IP
> address and associated netmask listed in the sudoers file or in LDAP.
> As a result, users authorized to run commands on certain IP networks may
> be able to run commands on hosts that belong to other networks not
> explicitly listed in sudoers.
>
> Sudo versions affected:
> Sudo versions 1.6.9p3 through 1.8.4p4 inclusive are affected.  The bug
> only has an effect when the sudoers file (or LDAP sudoers data) using a
> host specification that grants permissions using an IP address with an
> associated netmask, e.g. 10.0.1.0/255.255.255.0 or 10.0.2.0/24."
>
> This is CVE-2012-2337.
>
> Red Hat Bugzilla entries:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=820677
> https://bugzilla.redhat.com/show_bug.cgi?id=822175
>
> Ubuntu advisory:
>
> http://www.ubuntu.com/usn/usn-1442-1/
>
> Debian tracking:
>
> http://security-tracker.debian.org/tracker/CVE-2012-2337
>
> Alexander