9

There has been some traffic online this year regarding an apparently substantial vulnerability in sudo that allows unauthorized privilege elevation - CVE-2021-3156.

I've been checking sudo --version since I first heard of this, but after tonight's full-upgrade, I am still at sudo ver 1.8.27 which was originally released in Jan 2019. Has anyone heard if there's any movement on this, or if Debian or RPi OS are not affected?

Seamus
  • 21,900
  • 3
  • 33
  • 70

4 Answers4

21

This vulnerability can be trivially tested:

To test whether your version of sudo is vulnerable, the following command can be used:

sudoedit -s /

A vulnerable version of sudo will either prompt for a password or display an error similar to:

sudoedit: /: not a regular file

A patched version of sudo will simply display a usage statement, for example:

usage: sudoedit [-AknS] [-a type] [-C num] [-c class] [-D directory] [-g group]

I have just run this command on an up-to-date Pi OS, and it's indeed patched.

Dmitry Grigoryev
  • 27,928
  • 6
  • 53
  • 144
  • This is a v. good answer (+1). I didn't select it as "the" answer because my question was (at least intended to be) partly about why users are not informed via --version when these updates have been made. I personally don't make a habit of monitoring and following up on CVEs, rather I assume Debian (and eventually RPi OS) will deal with it. But this one appeared on my radar, and I tracked it. It's a good reminder for me on taking the hard work of so many for granted! – Seamus Mar 08 '21 at 20:14
20

While there are exceptions, generally stable releases of Linux distros backport important security fixes rather than packaging new upstream versions. They do this because the new upstream versions usually contain unrelated changes and every additional change brings more risk of regressions.

Unfortunately in most cases (again there are exceptions), the output of "program --version" only indicates the upstream version, not the distro-specific revisions. So it is not generally a good indication of whether a security fix has been applied.

Generally security fixes will be listed in the package's changelog which can be found at /usr/share/doc/<package>/changelog.Debian.gz. You can also check the installed version of the package against Debian's security tracker.

Debian addressed CVE-2021-3156 in version 1.8.27-1+deb10u3 and that quickly filtered its way down to Raspbian. There have however been some more minor issues raised since then that Debian has not seen fit to issue a security update for.

Community
  • 1
Peter Green
  • 6,476
  • 1
  • 19
  • 24
  • Good answer... I was not aware of this "backport" policy. Strictly as an opinion, it seems to me that this "backport" business could be dicey - depending on the nature and location of the affected code. I'm also of the opinion that 1.8.27-1 would have been a more useful clue than leaving it at 1.8.27. But of course none of that reflects negatively on your answer. – Seamus Mar 08 '21 at 20:03
  • 4
    Like anything it is just a matter of being familiar with the conventions. Also, going beyond the scope of the patch itself, eg., to change the compiled in version string: 1) Runs the risk of introducing new problems. 2) Requires there be someone available for all packages familiar enough with the source to do so, ie., there is a considerable resources issue. 3) Would conventionally be considered a bad practice. BTW, you can get the package version from apt info sudo (aka. apt show sudo). – goldilocks Mar 08 '21 at 20:26
  • 2
    "... it seems to me that this "backport" business could be dicey." - So is upgrading random packages to the latest version. Sure, probably fine for sudo, but what about a library that's used by lots of other software, webserver software, or scientific software that's been set up to run a large computation juuuust right? It's all a trade-off. – marcelm Mar 08 '21 at 23:52
  • 1.8.27-1 might break scripts which rely on a specific version format, like packaging, manpage generation, or checking whether the sudo command is up to date. Who knows what the result of if '27-1' > '27' would be in a random scripting language. – Dmitry Grigoryev Mar 09 '21 at 05:59
  • 1
    @marcelm: The way I look at the tradeoff between "backports" and "upgrading random packages to the latest version" is this: I would feel more confident in code modified by Todd Miller than a Debian maintainer... just as I'm sure you prefer having your Ferrari serviced at the dealership instead of the local garage, eh? – Seamus Mar 09 '21 at 15:55
  • @Seamus Backporting is a very common phenomenon in the Linux world (and outside it, actually; MacOS leans heavily on open source projects, so it faces the same dilemma). Maintainers often work together with the upstream authors on backporting such patches. I'm not saying there's no potential for issues there, but again: it's a trade-off, and Debian (as well as, say, Ubuntu and Red Hat) choose backporting. And no, I find Ferrari dealerships vastly overpriced. – marcelm Mar 09 '21 at 16:51
  • 2
    @Seamus This is why you have your Ferrari serviced by Ferrari, the people who integrated components to make a car and tested it, not Bosch, the people who made the ignition system. – user71659 Mar 10 '21 at 17:48
  • @user71659: Not a good analogy for this case. – Seamus Mar 10 '21 at 23:48
4

If you’ve updated then it is already fixed.

Fixed in version 1.8.27-1+deb10u3.

https://www.raspberrypi.org/forums/viewtopic.php?t=301106

CoderMike
  • 6,982
  • 1
  • 10
  • 15
3

Debian's sudo was fixed in 1.8.27-1+deb10u3 on January, 20th (almost 7 weeks ago). That fix "trickled down" into Raspberry OS almost immediately.

If you update your system regularly, you should have gotten this version weeks ago. If you don't have this version, then you need to examine your update settings and investigate why you didn't get this version. Maybe you have manually pinned sudo to a specific version? Maybe you think you are running unattended updates automatically but there is a mistake in your configuration that prevents those updates from happening?

Jörg W Mittag
  • 131
  • 4