CVE-2015-8239

NameCVE-2015-8239
DescriptionThe SHA-2 digest support in the sudoers plugin in sudo after 1.8.7 allows local users with write permissions to parts of the called command to replace them before it is executed.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs805563

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sudo (PTS)jessie, jessie (lts)1.8.10p3-1+deb8u9vulnerable
stretch (security)1.8.19p1-2.1+deb9u3fixed
stretch (lts), stretch1.8.19p1-2.1+deb9u6fixed
buster1.8.27-1+deb10u3fixed
buster (security)1.8.27-1+deb10u6fixed
bullseye (security), bullseye1.9.5p2-3+deb11u1fixed
bookworm1.9.13p3-1+deb12u1fixed
sid, trixie1.9.15p5-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sudosourcesqueeze(not affected)
sudosourcewheezy(not affected)
sudosource(unstable)1.8.17p1-1805563

Notes

[jessie] - sudo <no-dsa> (Minor issue)
[wheezy] - sudo <not-affected> (Command digests are only supported by version 1.8.7 or higher)
[squeeze] - sudo <not-affected> (Command digests are only supported by version 1.8.7 or higher)
https://www.openwall.com/lists/oss-security/2015/11/10/2
Documentation update: https://www.sudo.ws/repos/sudo/rev/24a3d9215c64
Use fexecve where available: https://www.sudo.ws/repos/sudo/rev/397722cdd7ec
Followup: https://www.sudo.ws/repos/sudo/rev/0cd3cc8fa195
https://www.sudo.ws/repos/sudo/rev/0cd3cc8fa195 (fix regression)
This issue is only a problem if you allow sudo of specific binaries in user writable locations (and checking them with SHA2 digests).
It is not recommend securitywise not to allow sudo executing specific binaries in userwritable locations.
fexecve() does not mitigate the problem that the contents of a file could be changed between the checksumming and the call to fexecve()
The solution is to ensure that the permissions on the file prevent it from being modified by malicious users.

Search for package or bug name: Reporting problems