![]() |
MS-DEFCON 4:
There are isolated problems with current patches, but they are well-known and documented on this site.
|
-
Linux sudo flaw
Home › Forums › AskWoody blog › Linux sudo flaw
- This topic has 37 replies, 10 voices, and was last updated 1 month, 1 week ago.
Viewing 13 reply threads-
AuthorPosts
-
-
January 27, 2021 at 11:55 pm #2338250
Susan Bradley
ManagerOver there on the “other” platform, Linux also needs to be updated this week. As bleepingcomputer notes, A now-fixed Sudo vulnerability allowed any lo
[See the full post at: Linux sudo flaw]Susan Bradley Patch Lady
-
January 28, 2021 at 3:52 am #2338293
Ascaris
AskWoody_MVPAlready fixed on Ubuntu and derivatives. The update is dated January 19, 2021, though I don’t know if that means it was packaged and released that day. It was already installed when I first saw the news and checked.
Group "L" (KDE Neon Linux 5.21.2 User Edition)
1 user thanked author for this post.
-
January 28, 2021 at 10:10 am #2338358
Still Anonymous
AskWoody LoungerThis is an instructive caution about open source projects. Just because the source code can be viewed, doesn’t necessarily mean that it is being reviewed.
On the other hand, once a flaw of this type is discovered, it’s something that can be fixed, and updates distributed relatively quickly. And for most major Linux distros, updates will show up in the various repositories, where they can quickly/easily be installed by normal package management processes.
Quite a bit of contrast from Microsoft, often having to wait until the next Patch Tuesday (and risk of problems with other updates being bundled), or Apple’s no-communication approach of simply releasing an update package when they decide they’re ready. Or for that matter, most Windows packages where there’s a variety of update mechanisms ranging from silent/automatic update to Help -> Check for Updates to the need to visit a developer’s website to manually download and install.
1 user thanked author for this post.
-
February 8, 2021 at 10:30 am #2341893
-
-
January 28, 2021 at 12:13 pm #2338361
anonymous
Guest? says:
thank you for the notice, Susan.
Commit Log for Tue Jan 26 15:00:08 2021
Upgraded the following packages:
sudo (1.8.31-1ubuntu1) to 1.8.31-1ubuntu1.2and does windows have “kernel updates?”
Commit Log for Thu Jan 14 19:30:59 2021
Upgraded the following packages:
linux-generic-hwe-20.04 (5.8.0.36.40~20.04.21) to 5.8.0.38.43~20.04.23
linux-headers-generic-hwe-20.04 (5.8.0.36.40~20.04.21) to 5.8.0.38.43~20.04.23
linux-image-generic-hwe-20.04 (5.8.0.36.40~20.04.21) to 5.8.0.38.43~20.04.23Installed the following packages:
linux-headers-5.8.0-38-generic (5.8.0-38.43~20.04.1)
linux-hwe-5.8-headers-5.8.0-38 (5.8.0-38.43~20.04.1)
linux-image-5.8.0-38-generic (5.8.0-38.43~20.04.1)
linux-modules-5.8.0-38-generic (5.8.0-38.43~20.04.1)
linux-modules-extra-5.8.0-38-generic (5.8.0-38.43~20.04.1)thank you!
-
January 28, 2021 at 3:12 pm #2338432
-
-
January 28, 2021 at 1:10 pm #2338387
Fred
AskWoody PlusThis is an instructive caution about open source projects. Just because the source code can be viewed, doesn’t necessarily mean that it is being reviewed.
just a “little” hole for about 10 years,
https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt~ ~ ~1 user thanked author for this post.
-
January 28, 2021 at 1:38 pm #2338398
Charlie
AskWoody Plus-
January 28, 2021 at 3:10 pm #2338431
mn–
AskWoody LoungerThe issue is only relevant to cases where there’s another user who is not supposed to be able to gain admin credentials.
Unfortunately any number of things callable from the network can qualify for that if they can be made to call sudo with arbitrary command line arguments.
And after the fix, sudo will work more correctly, though this only affects cases where you had things like file, directory or device names ending in a \ character that you’d use in sudo commands. (Remember, it’s not a path separator in Unix/Linux…)
5 users thanked author for this post.
-
January 28, 2021 at 3:55 pm #2338435
Charlie
AskWoody PlusSo is this fix really necessary for cases like mine where I’m the only one using or even knows how to use sudo? I’m just concerned about installing any update that I don’t need, and having it mess up something that currently works just fine.
-
January 28, 2021 at 4:36 pm #2338440
mn–
AskWoody LoungerBy the principle of defense in depth, you do want this fix.
Because if someone manages to be able to run shell commands as you some other way, say from a browser or email fault, they can get root credentials with this.
And also, if you manage to end up with… say, file names… ending in the \ character (it’s allowed in file names just fine in Unix/Linux), running without the fix is somewhat unsafe even in full isolation.
5 users thanked author for this post.
-
-
-
-
January 28, 2021 at 2:11 pm #2338399
anonymous
Guest-
February 8, 2021 at 10:33 am #2341897
-
-
January 28, 2021 at 3:27 pm #2338433
mn–
AskWoody LoungerOh and this is really not limited to Linux.
While I haven’t seen any attempts at reproducing this on other operating systems, it’s not unlikely that sudo is affected across all of them.
Sudo runs on all the BSDs I believe, and MacOS, AIX, HP-UX (both hppa and Itanium), Solaris (i386, x86-64 and Sparc), … and a bunch of other things. Wouldn’t be surprised to find it on Juniper routers for example (JunOS looks very BSD-like), or any number of embedded or integrated systems – VxWorks is POSIX enough that having a sudo on the NASA Mars rovers is not at all impossible.
1 user thanked author for this post.
-
January 28, 2021 at 5:20 pm #2338447
OscarCP
AskWoody PlusHow does this work, given that “sudo”, by default, requires that the user enters the login password before being enabled to issue a line command with super user status?
https://superuser.com/questions/67765/sudo-with-password-in-one-command-line
Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)
1 user thanked author for this post.
-
January 28, 2021 at 6:58 pm #2338451
mn–
AskWoody Lounger-
January 28, 2021 at 7:01 pm #2338452
OscarCP
AskWoody Plus-
January 28, 2021 at 7:21 pm #2338457
mn–
AskWoody LoungerActually, password checking may not need elevated privileges. Didn’t on older systems, back before “shadow” passwords… and in low-security environments you might still find such configurations. Inadvisable unless you really can’t help it, but…
And… you know how sudo typically allows you to run a *second* command at elevated privileges without entering the password a second time if you’re quick enough? Yeah, that. It doesn’t stay in memory or anything, it just saves a marker in a file and checks that for time and session differences – and if those are good enough it elevates your privileges without asking for your password.
Yes, this means that if you know where that file goes and have the privileges to write there, you can bypass the password prompt. (Then again in that case you already seem to have pretty much all the privileges, so…)
1 user thanked author for this post.
-
-
-
-
January 28, 2021 at 7:58 pm #2338455
anonymous
Guest? says:
needs “root,” or elevated permission to run hence password required. my live distro doesn’t need evevated permission. you can go to your filesystem and search for “sudo,” then look at the file permission(s) to verify, or run ls -l in the terminal, see:
Linux File Permission Tutorial: How to Check and Change Permissions
1 user thanked author for this post.
-
January 28, 2021 at 8:44 pm #2338471
OscarCP
AskWoody PlusWell, from mn- and ? answers I gather that this might be a problem (so bad that nobody noticed it for nine years?) when: (1) there are multiple users in the same computer (and the bug in question might have a chance to make trouble) and, or (2) the distro of the Linux one is using is either very old, or the same one that ? uses and, or (3) one is exceptionally self-assured (always a problem) and, or (4) too laid-back between using “sudo” and doing something else … Then one might, just might, get into some kind of trouble. Or am I still missing (5) here?
In any case, I am starting to feel definitely better about this. And it is going to get patched anyway, if it hasn’t been already.
Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)
1 user thanked author for this post.
-
January 28, 2021 at 10:21 pm #2338477
anonymous
GuestDo all you can to do for making sure your computers are updated, even Apple might have released an update for this. Since Mint is derived from Ubuntu you should have already been offered the patched sudo. Hey let some people you know this one is important. 🙂
-
-
January 30, 2021 at 2:01 pm #2338819
Charlie
AskWoody Plus-
January 30, 2021 at 8:32 pm #2338870
DrBonzo
AskWoody PlusI updated 3 Mint 19.2 Cinnamon computers last night with FF 85, the 4.15.0-135 kernel, and the topic of this thread, the sudo patch. No issues.
Also did the same on an Ubuntu 18.04 LTS except that for some reason FF 85 didn’t come through the Updater. No issues.
1 user thanked author for this post.
-
January 31, 2021 at 12:50 pm #2339018
Charlie
AskWoody PlusIt seems there has been a lot more Kernel updates in the past year. I stopped at the 4.15.0-123 update because it had and has kept the lowest amount of Bugs (one). I’ve checked and seen where newer Kernel updates have caused the finger pad and/or mouse to stop working, among other problems.
Are the Kernel updates that necessary and important?
Linux Mint Cinnamon 19.1
1 user thanked author for this post.
-
January 31, 2021 at 2:07 pm #2339038
anonymous
Guest? says:
Charlie, for security. i use synaptic and set the repositories to “security only.” if you update through the terminal you can get security patches using:
apt-get -s dist-upgrade | grep “^Inst” | grep -i securi | awk -F ” ” {‘print $2’} | xargs sudo apt-get install
from the last comment in: “To update or not to update”
https://forums.linuxmint.com/viewtopic.php?f=47&t=300959&sid=85aba05e21be86f1d06fdae3db7a7d12&start=201 user thanked author for this post.
-
January 31, 2021 at 3:17 pm #2339070
-
January 31, 2021 at 4:54 pm #2339096
anonymous
Guest? says:
yes, the last kernel came through the synaptic package manager on the 27th (for ubuntu 16.04):
Commit Log for Wed Jan 27 07:38:36 2021
Upgraded the following packages:
linux-generic (4.4.0.200.206) to 4.4.0.201.207
linux-headers-generic (4.4.0.200.206) to 4.4.0.201.207
linux-image-generic (4.4.0.200.206) to 4.4.0.201.207
linux-libc-dev (4.4.0-200.232) to 4.4.0-201.233which is a security patch:
https://packages.ubuntu.com/xenial/linux-image-generic
(has “security,” at the tail end…
1 user thanked author for this post.
-
-
February 8, 2021 at 10:42 am #2341899
rc primak
AskWoody_MVPAs often as not, kernel updates fix driver and feature issues. They may contain security changes, but these changes also usually get offered for existing kernels. You do not need to run the latest Linux kernel for your distro if all your Software Updates are up t o date.
In fact, running a too-recent (upstream) kernel can break things. That’s why there are fall-backs like Recovery Mode (Linux Safe Mode) and the OEM kernel in the Grub Menu. I have had an SD Card Reader which Fedora’s upstream kernels have broken from time to time. This is on a Chromebook. But other more mundane configurations can also break.
-- rc primak
1 user thanked author for this post.
-
February 8, 2021 at 11:23 am #2341910
mn–
AskWoody Loungerbut these changes also usually get offered for existing kernels.
… and this is exactly what was discussed above – security patches for the 4.4, 4.15, and such kernels.
Upstream mainline is somewhere around 5.10 (released and umpteen patches on top of that already) / 5.11 (release candidates).
1 user thanked author for this post.
-
February 8, 2021 at 11:26 am #2341911
Ascaris
AskWoody_MVPFedora is quite a bit different than the Ubuntu derivatives that most people use. Fedora will quite happily upgrade you to the latest kernel that has been released and remove the old ones, since it is only set to keep two previous versions. These new versions may well outpace any software you have that isn’t part of the Fedora distribution, as I found out when I was using Fedora (before I found the fix for KDE Connect, which KDE and Ubuntu had as yet not decided to fix). Fedora is known for its near bleeding edge update status.
Ubuntu is a lot more conservative, especially with the LTS versions (which many derivative distros, like Mint, use as their base). If you’re using a LTS kernel, like 4.15 or 5.4, it won’t automatically upgrade to a new kernel until the old one stops receiving updates, which won’t happen until 5 years have passed since the first release.
The releases within any one kernel version are bug fixes and backported security fixes, and it is usually a good idea to install them. Rarely, there is an issue with one of them that will make you want to go back, and it’s easy to do, as Ubuntu (and related) won’t delete the old ones by default as Fedora will. They’ll all still be there if you want them. All you have to do is choose the one you want at the GRUB menu (which will appear by default if you have more than one OS installed). You can then uninstall the old one and put a hold on further kernel updates if you wish.
If you want a newer kernel version, you can move to the HWE or HWE-Edge stacks, which are also used by newer releases of Ubuntu LTS versions and their descendants (for example, Ubuntu 20.04.2 uses the HWE stack, providing the 5.8 kernel rather than the 5.4 LTS kernel that came with the original 20.04).
The non-LTS kernel releases are supported for a shorter time than the| LTS kernel and will (if you have the HWE stack metapackage installed) automatically roll over to the next supported version only when Ubuntu stops support for the old one. At some point, Ubuntu will stop updating 5.8, and at that time the HWE stack will roll over to whatever the next HWE kernel is at that point (which will be the kernel version they decide to use for whatever the next Ubuntu release is at that point in time). It won’t happen for every point release version as with Fedora, and is much slower in pace.
Kernel releases may sound scary, but they’re actually easier to revert than pretty much anything else if you don’t find the new one to be to your liking. You can, if you want, keep multiple kernels installed and boot to the one that suits what you are doing. I usually use 5.8 these days, but Veeam does not work with it, so I boot to 5.4 to use that.
Group "L" (KDE Neon Linux 5.21.2 User Edition)
-
February 15, 2021 at 10:52 am #2343802
-
-
-
-
-
February 9, 2021 at 8:07 am #2342148
anonymous
Guest? says:
i’m glad the sudo hole was repaired! just received another kernel patch through synaptic package manager for ubuntu:
Commit Log for Tue Feb 9 04:54:34 2021
nstalled the following packages:
linux-headers-5.8.0-43-generic (5.8.0-43.49~20.04.1)
linux-hwe-5.8-headers-5.8.0-43 (5.8.0-43.49~20.04.1)
linux-image-5.8.0-43-generic (5.8.0-43.49~20.04.1)
linux-modules-5.8.0-43-generic (5.8.0-43.49~20.04.1)
linux-modules-extra-5.8.0-43-generic (5.8.0-43.49~20.04.1)and have the original 20.04 release kernel 5.4 onboard as well…
-
February 15, 2021 at 10:54 am #2343803
rc primak
AskWoody_MVPYep, those are the ones I got too. Autoremove will take out the less secure older kernels. If not, the process gets tedious, but Ubuntu Cleaner (Janitor) is one tool which makes Ubuntu kernel cleanups easier. Or you can bang out the whole process with the Synaptic Package Manager.
-- rc primak
-
-
February 15, 2021 at 2:42 pm #2343844
-
-
AuthorPosts
Viewing 13 reply threads -
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.

Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments. Click here for details and to sign up.
Search Newsletters
Search Forums
Recent Replies
Paul T on Surf the Web — even when your ISP is down
4 minutes agoPaul T on Microsoft changed my local account to a Microsoft Accountt
13 minutes agoPaul T on Diagnostic Policy Service high CPU 33%
16 minutes agoWCHS on Tasks for the weekend – February 20, 2021 – it’s Squirrel away time
21 minutes agoPaul T on Find & Replace
22 minutes agoAlex5723 on At Least 30,000 U.S. Organizations Newly Hacked Via Microsoft’s Email Software
26 minutes agoPaul T on 117 patches for GRUB2
29 minutes agoWCHS on Waiting for Windows 10 Version 2004 update
34 minutes agoPaul T on Telemetry
43 minutes agoTom in Az on Free-form database wanted
44 minutes agoPaul T on Getting ready for upgrade to 20H2
46 minutes agoClearThunder on Do you still patch on premises Exchange servers?
47 minutes agoPaul T on Tasks for the weekend – February 20, 2021 – it’s Squirrel away time
50 minutes agoWCHS on Tasks for the weekend – February 20, 2021 – it’s Squirrel away time
1 hour, 2 minutes agoanonymous on Getting ready for upgrade to 20H2
1 hour, 43 minutes agoanonymous on Getting ready for upgrade to 20H2
1 hour, 43 minutes agoSusan Bradley on Do you still patch on premises Exchange servers?
1 hour, 51 minutes agoanonymous on kb4601319 strange issue after updating
1 hour, 59 minutes agoTom on Do you still patch on premises Exchange servers?
3 hours, 37 minutes agompw on Getting ready for upgrade to 20H2
3 hours, 59 minutes agoBob99 on Getting ready for upgrade to 20H2
4 hours, 16 minutes agoBob99 on MS-DEFCON 4 – February updates trigger few issues
4 hours, 32 minutes agoMatador on MS-DEFCON 4 – February updates trigger few issues
4 hours, 52 minutes agompw on Getting ready for upgrade to 20H2
4 hours, 52 minutes agoSusan Bradley on Microsoft Security Response Center
5 hours, 1 minute agoanonymous on 117 patches for GRUB2
5 hours, 2 minutes agoBob99 on MS-DEFCON 4 – February updates trigger few issues
5 hours, 8 minutes agoBob99 on ‘System’ reports high CPU
5 hours, 31 minutes agokrism on Getting ready for upgrade to 20H2
5 hours, 39 minutes agoareader on Free-form database wanted
7 hours, 27 minutes ago
Recent Topics
-
TeraCopy updates
37 minutes ago
-
At Least 30,000 U.S. Organizations Newly Hacked Via Microsoft’s Email Software
26 minutes ago
-
Telemetry
44 minutes ago
-
Microsoft Security Response Center
5 hours, 2 minutes ago
-
SRU and SRUDB
12 hours, 28 minutes ago
-
‘System’ reports high CPU
5 hours, 32 minutes ago
-
AI generated play
18 hours, 3 minutes ago
-
Square buying streaming music service Tidal
21 hours, 13 minutes ago
-
LibreOffice updates.
19 hours, 44 minutes ago
-
Free-form database wanted
45 minutes ago
-
LinkedIn will stop collecting IDFA data on iOS
11 hours, 54 minutes ago
-
February Update 20H2 – Telemetry changes
9 hours, 56 minutes ago
-
KB4603002 – Feb 2021 Patch for .Net Framework.
1 day, 14 hours ago
-
reboot takes forever, normal boot from off is quick
12 hours, 56 minutes ago
-
Windows 10 Insider Preview build 21327 released to DEV Channel
2 days, 4 hours ago
-
Using IFS function and BETWEEN condition
2 days, 6 hours ago
-
OS upgrade
1 day, 23 hours ago
-
Microsoft.Windows.Remediation failed to start
14 hours, 19 minutes ago
-
117 patches for GRUB2
30 minutes ago
-
Google says it will stop selling ads based on people’s browsing histories
2 days, 7 hours ago
-
Stuck updates
1 day, 17 hours ago
-
Battery, Power Management Questions
8 hours, 8 minutes ago
-
Avatar
1 day, 20 hours ago
-
Apple may disable Rosetta 2 on M1 in some regions
2 days, 23 hours ago
-
March 2021 Office non-Security Updates are now available
1 day, 3 hours ago
-
Windows 10 clean install
2 days, 5 hours ago
-
Do you still patch on premises Exchange servers?
48 minutes ago
-
Files appearing in Recycle Bin Windows 10 version 1909
2 days, 18 hours ago
-
Outlook won’t open (or any app withing Office 2019 professional plus
2 days, 14 hours ago
-
The Perseverance rover runs on processors used in iMacs in the 1990s
2 days, 8 hours ago
Search for Topics
Recent blog posts
- March 2021 Office non-Security Updates are now available
- Do you still patch on premises Exchange servers?
- “Stuttering” glitch on a brand-new PC
- Here’s looking at you, kid: the child-cam scam
- The best things in life are copyrighted
- Using Microsoft OneDrive on your Android device
- MS-DEFCON 4 – February updates trigger few issues
- Temporarily putting the site in maintenance mode
Key Links
Copyright © 2004 – 2021 AskWoody Tech LLC. All rights reserved.