Hello
Ayappan P,
I already suggested step to installation for sudo_ids was successful and I am not sure how to verify to make sure this issue was fixed not affected for AIX .
Could any one help me for verify it.
1. Download the Sudo 1.9.5p2 is now available in AIX Toolbox.
sudo_ids -->
https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/sudo/sudo_ids-1.9.5p2-1.aix6.1.ppc.rpm Package file name: sudo_ids-1.9.5p2-1.aix6.1.ppc.rpm
2. Use the rpm command to install.
# rpm -Uvh sudo_ids-1.9.5p2-1.aix6.1.ppc.rpm
# sudo --version
# sudoedit -s '\' `perl -e 'print "A" x 65536'`
# ldd /usr/bin/sudo
Herewith detail installation.[AIX72test:root]/image/sudo# echo ${LIBPATH}
/opt/IBM/ldap/V6.2/lib64:/opt/IBM/ldap/V6.2/lib:/opt/freeware/lib:
[AIX72test:root]/image/sudo# sudo --version
Sudo version 1.9.5p2
Configure options: --prefix=/opt/freeware --sbindir=/opt/freeware/sbin --mandir=/opt/freeware/man --libexecdir=/opt/freeware/libexec --docdir=/opt/freeware/share/doc/sudo_ids-1.9.5p2 --libdir=/opt/freeware/lib --with-logging=syslog --with-aixauth --with-logfac=auth --with-pam --with-pam-login --with-env-editor --with-ignore-dot --with-tty-tickets --with-ldap --with-ldap-conf-file=/etc/sudo-ldap.conf
Sudoers policy plugin version 1.9.5p2
Sudoers file grammar version 48
... << omitted >>...
Sudoers I/O plugin version 1.9.5p2
Sudoers audit plugin version 1.9.5p2
[AIX72test:root]/image/sudo# sudoedit -s '\' `perl -e 'print "A" x 65536'`usage: sudoedit [-AknS] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...[AIX72test:root]/image/sudo# ldd /usr/bin/sudo
/usr/bin/sudo needs:
/opt/freeware/libexec/sudo/libsudo_util.so
/opt/IBM/ldap/V6.2/lib64/libibmldap.a
dump: /opt/IBM/ldap/V6.2/lib64/libibmldap.a: 0654-108 file is not valid in the current object file mode.
Use the -X option to specify the desired object mode.
/opt/freeware/lib/libintl.a(libintl.so.8)
/usr/lib/libpthread.a(shr_xpg5.o)
/usr/lib/libc.a(shr.o)
/usr/lib/librtl.a(shr.o)
/usr/lib/libpthreads.a(shr_xpg5.o)
/unix
/usr/lib/libpthreads.a(shr_comm.o)
/usr/lib/libcrypt.a(shr.o)
[AIX72test:root]/image/sudo#
Thanks,
Charin Kumjudpai.
------------------------------
CHARIN KUMJUDPAI
------------------------------
Original Message:
Sent: Mon February 01, 2021 11:46 PM
From: Ayappan P
Subject: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)
Sudo depends on openldap and sudo_ids depends on IBM ldap.
Since you have IBM ldap installed, recommend you to install sudo_ids instead of sudo
It's the same sudo but linked with IBM ldap instead openldap.
https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/sudo/sudo_ids-1.9.5p2-1.aix6.1.ppc.rpm
------------------------------
Ayappan P
Original Message:
Sent: Mon February 01, 2021 09:45 PM
From: CHARIN KUMJUDPAI
Subject: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)
Hello AIX open source community,
I had customer case was related to this CVE number.
ENV: Current AIX, rpm and sudo version.
AIX : 7200-01-06-1914
rpm : 4.13.0.1
Sudo : 1.8.22
Additional information:
[AIX72test:root]/image/sudo# rpm -qa | grep AIX-rpm
AIX-rpm-7.2.3.15-13.ppc
[AIX72test:root]/image/sudo# rpm -q AIX-rpm --provides | grep -i ldap
idsldap_plugin_ibm_gsskrb.a
idsldap_plugin_sasl_digest-md5.a
libibmldap.a
libibmldapdbg.a
libibmldapn.a
libidsldap.a
libidsldapiconv.a
libsecldapaudit.a(shr.o)
libsecldapaudit64.a(shr.o)
nis_ldap.so
nis_ldap_64.so
rpcldap.so
rpcldap_64.so
[AIX72test:root]/image/sudo#
Tried to install and getting errors.
1. Download Sudo 1.9.5p2 is now available in AIX Toolbox.
sudo --> https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/sudo/sudo-1.9.5p2-1.aix6.1.ppc.rpm
2. Using smitty install getting errors.
Command: failed stdout: yes stderr: no
Before command completion, additional instructions may appear below.
geninstall -I "agpQqwX -J" -Z -p -d . -f File 2>&1
File:
sudo-1.9.5p2-1
Validating RPM package selections ...
+-----------------------------------------------------------------------------+
RPM Error Summary:
+-----------------------------------------------------------------------------+
The following errors occurred during installation:
error: Failed dependencies:
liblber.a(liblber-2.4.so.2) is needed by sudo-1.9.5p2-1.ppc
libldap.a(libldap-2.4.so.2) is needed by sudo-1.9.5p2-1.ppc
openldap >= 2.4.48-1 is needed by sudo-1.9.5p2-1.ppc
Could you please help or share the step by step to install the sudo-1.9.5p2-1.aix6.1.ppc.rpm package in AIX 7.2
Best regards,
Charin Kumjudpai.
------------------------------
CHARIN KUMJUDPAI
Original Message:
Sent: Thu January 28, 2021 12:55 PM
From: Plamen Tanovski
Subject: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)
what is the patch for? I was able to compile sudo-1.9.5p2 under AIX 7.1 with the following config
CC=xlc ./configure --disable-openssl --disable-nls --disable-log-server --disable-log-client
best regards,
Plamen
------------------------------
Plamen Tanovski
Original Message:
Sent: Thu January 28, 2021 07:49 AM
From: Andrey Klyachkin
Subject: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)
Quick and dirty "help yourself" guide. Req'd time - 15-30 min.
1. Download and install the source code of the latest sudo package:
# wget http://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/SRPMS/sudo/sudo-1.8.31p1-2.src.rpm
# rpm -ivh sudo\-1.8.31p1\-2.src.rpm
2. Download the latest sudo tarball and AIX patch to it:
# cd /opt/freeware/src/packages/SOURCES
# wget https://www.sudo.ws/dist/sudo-1.9.5p2.tar.gz
# wget https://dl.power-devops.com/sudo-1.9.5p2-exppasswd2-aix.patch
3. Amend the spec-file for sudo
# cd /opt/freeware/src/packages/SPECS
# mv sudo-1.8.31p1-2.spec sudo.spec
# vi sudo.spec
Line 9:
Version: 1.9.5p2
Line 10:
Release: 1
Line 272. Add changelog entry something like:
* Thu Jan 28 2021 andrey.klyachkin <andrey.klyachkin@enfence.com> - 1.9.5p2
- bump
4. Compile it:
# rpmbuild -ba sudo.spec
If it says something like:
error: Failed build dependencies:
openldap-devel >= 2.4.48-1 is needed by sudo-1.9.5p2-1.ppc
Install the missing dependencies, e.g.:
# yum -y install openldap-devel
5. The result is in /opt/freeware/src/packages/RPMS/ppc:
-rw-r--r-- 1 root system 5419802 Jan 28 01:41PM sudo-1.9.5p2-1.aix7.2.ppc.rpm
I hope it can help waiting till IBM releases the package :-)
------------------------------
Andrey Klyachkin
https://www.power-devops.com
Original Message:
Sent: Tue January 26, 2021 05:01 PM
From: Morten Torstensen
Subject: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)
Hi,
What are the plans to update sudo in the AIX yum repository for this vulnerability?
According to the info here and the test, the AIX version is vulnerable: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit) | Qualys Security Blog
> rpm -qa|grep sudo
sudo-1.8.31p1-2.ppc
And this test indicates vulnerability:
> sudoedit -s /
sudoedit: /: not a regular file
If "usage:" instead of "sudoedit:" is returned, sudo is not vulnerable.
This vulnerability is relatively serious, as any local non-privileged account can gain root access, even those not in the sudoers config.
------------------------------
Morten Torstensen
------------------------------