Hacker Timesnew | past | comments | ask | show | jobs | submitlogin

Affected versions are 1.8.0 through 1.8.3p1 inclusive. Ubuntu 11.10 is not affected (it's running 1.7.4). Ubuntu 12.04 (alpha) might be, which appears to be running 1.8.3p1, for a short while anyway.


Ubuntu 10.04 LTS seems to be OK:

  $ lsb_release -a
  No LSB modules are available.
  Distributor ID: Ubuntu
  Description:    Ubuntu 10.04.3 LTS
  Release:        10.04
  Codename:       lucid

  $ sudo -V
  Sudo version 1.7.2p1


Super. My gentoo boxes are 1.8.2, and are broken as expected.

  $ ln -s /usr/bin/sudo ./%s
  $ ./%s -D9
  [some debug output with garbage]
  Segmentation fault
  $
Bug is here:

https://bugs.gentoo.org/show_bug.cgi?id=401533

Looks like it's patched on x86/amd64 already.

OpenIndiana looks unaffected. It's using 1.7.4p4.


Yep patch is in Gentoo, I just did a sync and 1.8.3_p2 will be built.


Debian stable is unaffected (1.7.4p4).


Debian _un_stable, on the other hand may be (depending on when you last updated). There is a new package available and so an `apt-get install sudo' or `apt-get upgrade' will sort it.


CentOS 6.2 (and hence RHEL 6.2, the current version) is on sudo-1.7.4p5.


RHEL compiled out the debugging support and is NOT vulnerable.

Fedora compiles everything with -DFORTIFY_SOURCE which means this still crashes, but is not (thought to be) vulnerable. In any case there is an update available for Fedora right now. https://admin.fedoraproject.org/updates/sudo-1.8.3p1-2.fc16


On OS X 10.7.2: Sudo version 1.7.4p6, on the latest 10.6: 1.7.0.


segfaults on opensuse 12.1 (1.8.2).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: