Skip to navigation

Bug Fix Advisory sudo bug fix and enhancement update

Advisory: RHBA-2013:0112-1
Type: Bug Fix Advisory
Severity: N/A
Issued on: 2013-01-07
Last updated on: 2013-01-07
Affected Products: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)

Details

Updated sudo packages that fix several bugs and add one enhancement are now
available for Red Hat Enterprise Linux 5.

The sudo (superuser do) utility allows system administrators to give specific
users the ability to run commands as root.

This update fixes the following bugs:

* Previously, sudo escaped non-alphanumeric characters in commands using "sudo
-s" or "sudo -" at the wrong place and interfered with the authorization
process. Some valid commands were not permitted. Now, non-alphanumeric
characters are escaped immediately before the command is executed and no longer
interfere with the authorization process. (BZ#806073)

* Prior to this update, the sudo utility could fail to receive the SIGCHLD
signal when it was executed from a process that blocked the SIGCHLD signal. As a
consequence, sudo could become suspended and fail to exit. This update modifies
the signal process mask so that sudo can exit and sends the correct output.
(BZ#814508)

* The sudo update RHSA-2012:0309 introduced a regression that caused the SELinux
context of the /etc/nsswitch.conf file to change during installation or upgrade
of the sudo package. This could cause that various services confined by SELinux
were no longer permitted to access the file. In reported cases, this issue
prevented PostgreSQL and Postfix from starting. (BZ#818585)

* Prior to this update, a race condition bug existed in sudo. When a program was
executed with sudo, it could exit successfully before sudo started waiting for
it. In this situation, the program became a defunct process and sudo waited for
it endlessly as it expected the program was still running. (BZ#829263)

* The sudo update RHSA-2012:0309 changed the behavior of sudo; it now runs
commands as a child process instead of executing them directly and replacing the
running process. This change could cause errors in some external scripts. A new
cmnd_no_wait configuration option was added to restore the old behavior. To
apply this option, add the following line to the /etc/sudoers file:

Defaults cmnd_no_wait

(BZ#840971)

* Updating the sudo package resulted in the "sudoers" line in /etc/nsswitch.conf
being removed. This update corrects the bug in the sudo package's post-uninstall
script that caused this issue. (BZ#841070)

* The RHSA-2012:1149 sudo security update introduced a regression that caused
the permissions of the /etc/nsswitch.conf file to change during the installation
or upgrade of the sudo package. This could cause various services to be unable
to access the file. In reported cases, this bug prevented PostgreSQL from
starting. This update fixes the bug and the file's permissions are no longer
changed in the described scenario. (BZ#846631)

* The policycoreutils package dependency, which includes the restorecon utility,
was set to Requires only. Consequently, the installation proceeded in the
incorrect order and restorecon was required before it was installed. This bug
has been fixed by using a context marked dependency "Requires(post)" and
"Requires(postun)", and the installation now proceeds correctly. (BZ#846694)

Also, this update adds the following enhancement:

* The sudo utility is able to consult the /etc/nsswitch.conf file for sudoers
entries and look them up in files or in LDAP. Previously, when a match was found
in the first database of sudoers entries, the look-up operation still continued
in other databases. This update adds an option to the /etc/nsswitch.conf file
that allows specifying a database. Once a match was found in the specified
database, the search is finished. This eliminates the need to query any other
databases; thus, improving the performance of sudoers entry look ups in large
environments. This behavior is not enabled by default and must be configured by
adding the "[SUCCESS=return]" string after a selected database. When a match is
found in a database that directly precedes this string, no other databases are
queried. (BZ#840097)

All users of sudo are advised to upgrade to these updated packages, which fix
these bugs and add this enhancement.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

Red Hat Enterprise Linux (v. 5 server)

SRPMS:
sudo-1.7.2p1-22.el5.src.rpm
File outdated by:  RHSA-2014:0266
    MD5: 1ab699e11421454c73cbd7ec52187523
SHA-256: a2950c23715880a7f2409ab077b3f0de172511aa2b7b432839d55f33bfb3d2d0
 
IA-32:
sudo-1.7.2p1-22.el5.i386.rpm
File outdated by:  RHSA-2014:0266
    MD5: e3d7c24e8c0737fc58b7c03c1cb1ec25
SHA-256: 4671d9f86de9854775b029db33f4b753e97633282dd71baa9b8b0c9d7f7f3097
sudo-debuginfo-1.7.2p1-22.el5.i386.rpm
File outdated by:  RHSA-2014:0266
    MD5: 5d8897df10872b3f0572c131ea31851f
SHA-256: 94652a3b0c98dc72b2907ecdbbdbe62539c557ba9d67ab10df3a30bc2578bad2
 
IA-64:
sudo-1.7.2p1-22.el5.ia64.rpm
File outdated by:  RHSA-2014:0266
    MD5: 507eccf324356d059ce86acf512e82cb
SHA-256: 29df6da6285b562c17925bfdb46e928a03129fbb97330d6c78a760b011d4b184
sudo-debuginfo-1.7.2p1-22.el5.ia64.rpm
File outdated by:  RHSA-2014:0266
    MD5: b53620e220595e2e8f5f7f828921e24e
SHA-256: f5d488fd910b0e2a75d67f9d14d0168f8eb36442ade0be871295b8d16c9e6d37
 
PPC:
sudo-1.7.2p1-22.el5.ppc.rpm
File outdated by:  RHSA-2014:0266
    MD5: 21599ff04945c2e5e503c4eda60f61b7
SHA-256: a58cded993e88ccd92a34b263c6465369adcddac74394333e9bb903afcaf0ba5
sudo-debuginfo-1.7.2p1-22.el5.ppc.rpm
File outdated by:  RHSA-2014:0266
    MD5: 344e740ababd1036393e12675fe96f10
SHA-256: 17209194b99e9013e6c799c46357271c73787fc8ee900dc3e91c8bbbf0d1977d
 
s390x:
sudo-1.7.2p1-22.el5.s390x.rpm
File outdated by:  RHSA-2014:0266
    MD5: 04108f935666d4ef3e82940cd4cb010e
SHA-256: 97af86d065e9aa494f45d205ae1ac5f3d47dfb1b71124a45b8e4cdfe6b562d6a
sudo-debuginfo-1.7.2p1-22.el5.s390x.rpm
File outdated by:  RHSA-2014:0266
    MD5: f9b22171f661e61e8f59ada0f44f1d61
SHA-256: 4f551ffdbde7f78d2cc1f275cb8ad8169cd819f27d30e3610c8eb9ba8049b26e
 
x86_64:
sudo-1.7.2p1-22.el5.x86_64.rpm
File outdated by:  RHSA-2014:0266
    MD5: c78d4824373ff427e236baee9756cfff
SHA-256: 6c66fe6e6a9ddd653b8c63e6575098a3d39e5473be41755b45031a725f83038e
sudo-debuginfo-1.7.2p1-22.el5.x86_64.rpm
File outdated by:  RHSA-2014:0266
    MD5: 8e36d9fc9ec188050e18f3c5351a2816
SHA-256: bad0426919a7814bb6db74eee473b3c948427c606aba806401b15d4481aac3ab
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
sudo-1.7.2p1-22.el5.src.rpm
File outdated by:  RHSA-2014:0266
    MD5: 1ab699e11421454c73cbd7ec52187523
SHA-256: a2950c23715880a7f2409ab077b3f0de172511aa2b7b432839d55f33bfb3d2d0
 
IA-32:
sudo-1.7.2p1-22.el5.i386.rpm
File outdated by:  RHSA-2014:0266
    MD5: e3d7c24e8c0737fc58b7c03c1cb1ec25
SHA-256: 4671d9f86de9854775b029db33f4b753e97633282dd71baa9b8b0c9d7f7f3097
sudo-debuginfo-1.7.2p1-22.el5.i386.rpm
File outdated by:  RHSA-2014:0266
    MD5: 5d8897df10872b3f0572c131ea31851f
SHA-256: 94652a3b0c98dc72b2907ecdbbdbe62539c557ba9d67ab10df3a30bc2578bad2
 
x86_64:
sudo-1.7.2p1-22.el5.x86_64.rpm
File outdated by:  RHSA-2014:0266
    MD5: c78d4824373ff427e236baee9756cfff
SHA-256: 6c66fe6e6a9ddd653b8c63e6575098a3d39e5473be41755b45031a725f83038e
sudo-debuginfo-1.7.2p1-22.el5.x86_64.rpm
File outdated by:  RHSA-2014:0266
    MD5: 8e36d9fc9ec188050e18f3c5351a2816
SHA-256: bad0426919a7814bb6db74eee473b3c948427c606aba806401b15d4481aac3ab
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

818585 - selinux blocks postgresql startup
829263 - Sudo has racecondition leaving sudo with its zombie child running forever
841070 - sudo 1.7.2p1-14.el5_8 removed sudoers line from nsswitch.conf
846631 - Postgresql fail to start on RHEL 5.8



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/