Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • aports aports
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 749
    • Issues 749
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 319
    • Merge requests 319
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • alpine
  • aportsaports
  • Issues
  • #10874

Closed
Open
Created Oct 14, 2019 by Tom Parrott@tomponline4 of 5 tasks completed4/5 tasks

sudo needs updating to 1.8.28, due to security flaw (CVE-2019-14287)

https://thehackernews.com/2019/10/linux-sudo-run-as-root-flaw.html

https://www.sudo.ws/alerts/minus_1_uid.html

Summary: When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295. This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification.

Log entries for commands run this way will list the target user as 4294967295 instead of root. In addition, PAM session modules will not be run for the command.

Sudo versions affected: Sudo versions prior to 1.8.28 are affected. CVE ID: This vulnerability has been assigned CVE-2019-14287 in the Common Vulnerabilities and Exposures database.

Affected branches:

  • master (87cda3c1)
  • 3.10-stable (3646eb84)
  • 3.9-stable (4eb0cde9)
  • 3.8-stable (65742d16)
  • 3.7-stable (WONTFIX, EOL)
Edited Feb 05, 2020 by Natanael Copa
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking