code.ossystems Code Review - openembedded-core.git/commit

]> code.ossystems Code Review - openembedded-core.git/commit

Code Review / openembedded-core.git / commit

author	Changqing Li <changqing.li@windriver.com>
	Tue, 22 Oct 2019 02:47:11 +0000 (10:47 +0800)
committer	Richard Purdie <richard.purdie@linuxfoundation.org>
	Wed, 23 Oct 2019 15:26:15 +0000 (16:26 +0100)
commit	4e11cd561f2bdaa6807cf02ee7c9870881826308
tree	79f6336c0f8b297cf5e067f06fe25faee05301e1	tree \| snapshot
parent	6665e84bfba43cd8897b9561b14975ac524fbbe2	commit \| diff

sudo: fix CVE-2019-14287

In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer
account can bypass certain policy blacklists and session PAM modules,
and can cause incorrect logging, by invoking sudo with a crafted user
ID. For example, this allows bypass of !root configuration, and USER=
logging, for a "sudo -u \#$((0xffffffff))" command.

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

meta/recipes-extended/sudo/sudo/CVE-2019-14287-1.patch	[new file with mode: 0644]	blob
meta/recipes-extended/sudo/sudo/CVE-2019-14287-2.patch	[new file with mode: 0644]	blob
meta/recipes-extended/sudo/sudo_1.8.27.bb		diff \| blob \| history

Mirror of the official openembedded-core repository

RSS Atom