securitybreach Posted February 4, 2020 Share Posted February 4, 2020 Quote According to the latest report published by The Debian Project, a Sudo vulnerability exists that allows hackers to gain access to root privileges and execute commands. The vulnerability exists in the Sudo package (Sudo stands for “superuser do”) which allows users to execute programs and commands with security privileges of a superuser. Tagged as CVE -2019-18634, the Sudo flaw has affected Debian GNU/Linux 9 “Stretch” operating system series running Sudo versions prior to 1.8.26 vis-à-vis versions 1.7.1 to 1.8.25p1. Thankfully, the flaw can be exploited only when “pwfeedback” option is enabled in Sudoers by the system administrator. According to the National Vulnerability Database, in CVE-2019-18634 Linux flaw, “if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process.” However, Sudo developer Todd C. Miller says that the flaw can also be triggered even when Sudo permissions are not granted. It requires only pwfeedback to be enabled to exploit the flaw, as per Miller. https://fossbytes.com/sudo-linux-bug-allows-hackers-execute-commands-root-user/ Quote Link to comment Share on other sites More sharing options...
sunrat Posted February 4, 2020 Share Posted February 4, 2020 Old news. This was fixed with a Debian security update on Feb 01 - Hmmm, interesting. Posting a "Share" link shows an image of the first post in the topic but links to the correct post. Suboptimal. The posting box pops up an option to post as link instead: https://forums.scotsnewsletter.com/index.php?/topic/22937-new-updates-debian/&do=findComment&comment=462539 Sudo is not installed by default in Debian unless a root password is not set during install. It's superfluous fluff IMHO for a single-user system. 1 Quote Link to comment Share on other sites More sharing options...
raymac46 Posted February 4, 2020 Share Posted February 4, 2020 Linux Mint sudo has been updated to an appropriate version. Quote Link to comment Share on other sites More sharing options...
securitybreach Posted February 4, 2020 Author Share Posted February 4, 2020 1 hour ago, sunrat said: Old news. This was fixed with a Debian security update on Feb 01 - Hmmm, interesting. Posting a "Share" link shows an image of the first post in the topic but links to the correct post. Suboptimal. The posting box pops up an option to post as link instead: https://forums.scotsnewsletter.com/index.php?/topic/22937-new-updates-debian/&do=findComment&comment=462539 Sudo is not installed by default in Debian unless a root password is not set during install. It's superfluous fluff IMHO for a single-user system. Well the post was posted today on fossbytes. I wonder why they didn't research before posting. Quote Link to comment Share on other sites More sharing options...
securitybreach Posted February 4, 2020 Author Share Posted February 4, 2020 Oddly enough, the US government has not even finished the analysis CVE-2019-18634 Detail Undergoing Analysis This vulnerability is currently undergoing analysis and not all information is available. Please check back soon to view the completed vulnerability summary. https://nvd.nist.gov/vuln/detail/CVE-2019-18634 Quote Link to comment Share on other sites More sharing options...
sunrat Posted February 5, 2020 Share Posted February 5, 2020 2 hours ago, securitybreach said: Well the post was posted today on fossbytes. I wonder why they didn't research before posting. Debian security devs are usually really quick with stuff like this. And probably it was trivial to fix. It only affects Stretch too, which is oldstable. Most Debian users will be on Buster, current stable. 1 Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted February 5, 2020 Share Posted February 5, 2020 I received a security alert from Slackware a couple days ago about this. I already updated. I don't use sudo at all on my Slackware, anyway. Quote Link to comment Share on other sites More sharing options...
ebrke Posted February 5, 2020 Share Posted February 5, 2020 If my aging memory serves me, OpenSUSE used to let you disable sudo. Apparently that's no longer the case, or I just can't find the setting in Security. I've always just logged in as su, holdover from my unix days. Quote Link to comment Share on other sites More sharing options...
Guest Mauser Posted February 7, 2020 Share Posted February 7, 2020 On 2/4/2020 at 8:57 PM, raymac46 said: Linux Mint sudo has been updated to an appropriate version. Did they ever fix the security hole of no password is asked for installing Flatpaks? Quote Link to comment Share on other sites More sharing options...
Guest Mauser Posted February 7, 2020 Share Posted February 7, 2020 On 2/5/2020 at 8:35 PM, ebrke said: If my aging memory serves me, OpenSUSE used to let you disable sudo. Apparently that's no longer the case, or I just can't find the setting in Security. I've always just logged in as su, holdover from my unix days. Actually when I ran openSUESE years ago sudo never worked. You had to use su instead. Quote Link to comment Share on other sites More sharing options...
securitybreach Posted February 7, 2020 Author Share Posted February 7, 2020 3 minutes ago, Mauser said: Did they ever fix the security hole of no password is asked for installing Flatpaks? It's not a bug. Flatpak is installed globally and anyone in the sudo group can install a flatpak without typing sudo. Quote Link to comment Share on other sites More sharing options...
securitybreach Posted February 7, 2020 Author Share Posted February 7, 2020 2 minutes ago, Mauser said: Actually when I ran openSUESE years ago sudo never worked. You had to use su instead. You have to set it up. https://en.opensuse.org/SDB:Administer_with_sudo Quote Link to comment Share on other sites More sharing options...
Guest Mauser Posted February 7, 2020 Share Posted February 7, 2020 Just now, securitybreach said: It's not a bug. Flatpak is installed globally and anyone in the sudo group can install a flatpak without sudo. I never said it's a bug. I said it's a security hole. Running all the time in sudo is another security hole. Quote Link to comment Share on other sites More sharing options...
securitybreach Posted February 7, 2020 Author Share Posted February 7, 2020 Just now, Mauser said: I never said it's a bug. I said it's a security hole. Running all the time in sudo is another security hole. It's not a hole either. Sudo authenticates via your user password so if you are already authenticated, it goes through as intended. Quote Link to comment Share on other sites More sharing options...
securitybreach Posted February 7, 2020 Author Share Posted February 7, 2020 Now, you can change that behavior if you want to. I have mine set to ask for the user password for some things and the root password for other things. It's all about how you set it up. Quote Link to comment Share on other sites More sharing options...
Guest Mauser Posted February 7, 2020 Share Posted February 7, 2020 Just now, securitybreach said: It's not a hole either. Sudo authenticates via your user password so if you are already authenticated, it goes through as intended. It's a security hole when it doesn't ask your password when installing Flatpaks like in Linux mint. Quote Link to comment Share on other sites More sharing options...
securitybreach Posted February 7, 2020 Author Share Posted February 7, 2020 If you say so. Quote Link to comment Share on other sites More sharing options...
securitybreach Posted February 7, 2020 Author Share Posted February 7, 2020 It is set up that way on purpose: https://askubuntu.com/questions/147241/execute-sudo-without-password#147265 Quote Link to comment Share on other sites More sharing options...
Guest Mauser Posted February 7, 2020 Share Posted February 7, 2020 1 minute ago, securitybreach said: Now, you can change that behavior if you want to. I have mine set to ask for the user password for some things and the root password for other things. It's all about how you set it up. When I used Linux mint they never told me that. They basically told me to pound sand. I exercised my first amendment rights and replaced Linux mint with Xubutu back then. Quote Link to comment Share on other sites More sharing options...
securitybreach Posted February 7, 2020 Author Share Posted February 7, 2020 You could of just changed the behavior easily enough by editing /etc/sudoers. Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted February 7, 2020 Share Posted February 7, 2020 4 minutes ago, Mauser said: When I used Linux mint they never told me that. Who exactly are you referring to when you say "they" here? 1 Quote Link to comment Share on other sites More sharing options...
Guest Mauser Posted February 7, 2020 Share Posted February 7, 2020 1 minute ago, V.T. Eric Layton said: Who exactly are you referring to when you say "they" here? The ones on the Linux mint forum. Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted February 7, 2020 Share Posted February 7, 2020 11 minutes ago, Mauser said: The ones on the Linux mint forum. Ah... well, that's a community support forum inhabited by many folks using Linux Mint and willing to assist others. However, the way you made it sound in your post was that you expected to be told something about the Free Linux Mint operating system that you chose to use and install. You know it doesn't work that way. If you want to learn/know things about "free as beer" operating systems, you'll need to do your homework. No one is going to lead you by the hand. These OSes are NOT Windows, as I like to tell new Linux folks. It's a whole different world. GNU/Linux does require some effort on the part of the new user. But, hey... I'm just practicing my typing here because I know you're aware of this already. 1 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted February 7, 2020 Author Share Posted February 7, 2020 Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted February 7, 2020 Share Posted February 7, 2020 Mauser, I'm not pickin' on you, man. It's just that for many, many years now I've seen so many new Linux users get all whizzed off because they don't feel they're getting the support they should be getting from the operating system choices they're making. My reply is usually something along the lines of, "Well, you're getting your money's worth" - meaning you paid nothing for the operating system that MANY people contributed MANY hours of their lives to help create and maintain. You can't expect RedHat Customer Support unless you're paying RedHat the BIG BUCKS for that. Anyway, here at Scot's we pride ourselves on helping new and experienced Linux folks with even the most trivial issues. That goes 100% for the MS Windows folks here to assist Windows users with their issues. You've come to the right place for any assistance, but like anything in life, you have to put a little effort into it, too. And, like I said above... I'm sure you know all this already. Ugly storm coming my way in a bit. I may have to power down this soul-sucking box till tomorrow. We'll see how bad it gets in a few minutes... Quote Link to comment Share on other sites More sharing options...
securitybreach Posted February 7, 2020 Author Share Posted February 7, 2020 Agreed and thanks Eric 1 Quote Link to comment Share on other sites More sharing options...
raymac46 Posted February 7, 2020 Share Posted February 7, 2020 I have not used Flatpaks in any way shape or form on Linux Mint so I can't comment about any security hole. 1 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted February 7, 2020 Author Share Posted February 7, 2020 2 minutes ago, raymac46 said: I have not used Flatpaks in any way shape or form on Linux Mint so I can't comment about any security hole. Same. I do not use any "universal" packages as they cannot be tracked by the package manager on my distro. Quote Link to comment Share on other sites More sharing options...
sunrat Posted February 7, 2020 Share Posted February 7, 2020 I agree, containerised applications (Snap, Flatpak, Appimage) are a curse on Linux. In my opinion they are a far worse development than systemd ever was and I find it hard to believe there is not similar outrage about distros supporting their use. There's been a flood of support questions about them at both Debian and MX forums. I rarely find the need to install anything from outside the distro repo and the handful I do are from dedicated 3rd party Debian repos or a couple of Python scripts. Currently that's just Strawberry, DeadBeef, Syncthing (it's in Debian but that version is missing a couple of functions), Flacon, SACAD, sacd, Pulseaudio Parametric Equalizer. In case you're wondering, SACAD is Super Album Cover Automatic Downloader, whereas sacd is to convert a disk image of Super Audio CD to regular files. Flacon converts a single album FLAC file with cue list to multiple single track files. 1 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted February 7, 2020 Author Share Posted February 7, 2020 2 hours ago, sunrat said: I agree, containerised applications (Snap, Flatpak, Appimage) are a curse on Linux. In my opinion they are a far worse development than systemd ever was and I find it hard to believe there is not similar outrage about distros supporting their use. There's been a flood of support questions about them at both Debian and MX forums. I rarely find the need to install anything from outside the distro repo and the handful I do are from dedicated 3rd party Debian repos or a couple of Python scripts. Currently that's just Strawberry, DeadBeef, Syncthing (it's in Debian but that version is missing a couple of functions), Flacon, SACAD, sacd, Pulseaudio Parametric Equalizer. In case you're wondering, SACAD is Super Album Cover Automatic Downloader, whereas sacd is to convert a disk image of Super Audio CD to regular files. Flacon converts a single album FLAC file with cue list to multiple single track files. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.