Security fix for CVE-2021-3156
sudo dnf upgrade --advisory=FEDORA-2021-2cb63d912a
This update has been submitted for testing by rsroka.
This update's test gating status has been changed to 'ignored'.
This update's test gating status has been changed to 'waiting'.
CVE-2021-3156 fixed. ("sudoedit -s /" returns usage instead of error, as described in the blog post's FAQ).
"sudoedit -s /"
Works. Did not validate that the exploit is fixed.
This update has been submitted for stable by bodhi.
Downloaded build from Koji, sudo still works, and sudoedit -s / shows usage: which means it should not be vulnerable.
I installed the following packages:
sudo dnf install https://kojipkgs.fedoraproject.org//packages/sudo/1.9.5p2/1.fc33/x86_64/sudo-1.9.5p2-1.fc33.x86_64.rpm https://kojipkgs.fedoraproject.org//packages/sudo/1.9.5p2/1.fc33/x86_64/sudo-python-plugin-1.9.5p2-1.fc33.x86_64.rpm
=> rpm -q sudo says "sudo-1.9.5p2-1.fc33.x86_64"
Vulnerability check using (cd /; sudoedit -s '\' xxxxxxxxxxxx) command:
* Before: "sudoedit: malloc.c:2394: sysmalloc: Assertion (...) failed."
* After: "usage: sudoedit [-AknS] [-r role] (...)"
* Before: Sudo version 1.9.5p1
* After: Sudo version 1.9.5p2
Note: but I failed to test the update in the usual way, "sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-2cb63d912a" doesn't find any update.
Fixes vulnerability (tested using sudoedit -s / old output: "sudoedit: /: not a regular file" new output: "usage: sudoedit")
sudoedit -s /
sudoedit: /: not a regular file
This update has been pushed to stable.
Please login to add feedback.
Confirm request to re-trigger tests.
Copyright © 2007-2019 Red Hat, Inc. and
bodhi is Free Software.
if you have any problems. Read the documentation.