| Name | CVE-2015-8239 |
| Description | The SHA-2 digest support in the sudoers plugin in sudo after 1.8.7 allows local users with write permissions to parts of the called command to replace them before it is executed. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 805563 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| sudo (PTS) | jessie, jessie (lts) | 1.8.10p3-1+deb8u9 | vulnerable |
| stretch (security) | 1.8.19p1-2.1+deb9u3 | fixed |
| stretch (lts), stretch | 1.8.19p1-2.1+deb9u6 | fixed |
| buster (security), buster, buster (lts) | 1.8.27-1+deb10u6 | fixed |
| bullseye (security), bullseye | 1.9.5p2-3+deb11u1 | fixed |
| bookworm | 1.9.13p3-1+deb12u1 | fixed |
| sid, trixie | 1.9.16p1-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| sudo | source | squeeze | (not affected) | | | |
| sudo | source | wheezy | (not affected) | | | |
| sudo | source | (unstable) | 1.8.17p1-1 | | | 805563 |
Notes
[jessie] - sudo <no-dsa> (Minor issue)
[wheezy] - sudo <not-affected> (Command digests are only supported by version 1.8.7 or higher)
[squeeze] - sudo <not-affected> (Command digests are only supported by version 1.8.7 or higher)
https://www.openwall.com/lists/oss-security/2015/11/10/2
Documentation update: https://www.sudo.ws/repos/sudo/rev/24a3d9215c64
Use fexecve where available: https://www.sudo.ws/repos/sudo/rev/397722cdd7ec
Followup: https://www.sudo.ws/repos/sudo/rev/0cd3cc8fa195
https://www.sudo.ws/repos/sudo/rev/0cd3cc8fa195 (fix regression)
This issue is only a problem if you allow sudo of specific binaries in user writable locations (and checking them with SHA2 digests).
It is not recommend securitywise not to allow sudo executing specific binaries in userwritable locations.
fexecve() does not mitigate the problem that the contents of a file could be changed between the checksumming and the call to fexecve()
The solution is to ensure that the permissions on the file prevent it from being modified by malicious users.