Received: from ncopa-desktop.lan (ti0056a400-5369.bb.online.no [85.165.96.12])
	(Authenticated sender: ncopa@alpinelinux.org)
	by gbr-app-1.alpinelinux.org (Postfix) with ESMTPSA id 55C5F223211;
	Thu, 16 Mar 2023 12:08:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alpinelinux.org;
	s=smtp; t=1678968514;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=cjfxTQWoMZIycAgVb9TpCUDWkR2aFF94ZZN1q8Q1uqI=;
	b=UMyrn/nNaNhTQclLULtM3y+gk884vq8Ryr8GbWI3b4XNV427LxvG9vL5LgmjwS6Vjua/HY
	svzJkbE+uXaV7Aij6ViFOifY4clH3Mj11MVKAwkNX/pjHNoN1zS6i1zogwieJORGW4/4YC
	aauX/lJ9K0ZHwJY8hRkLSh1tRu7Ig0s=
Date: Thu, 16 Mar 2023 13:08:32 +0100
From: Natanael Copa <ncopa@alpinelinux.org>
To: Christian Dupuis <christian.dupuis@docker.com>
Cc: ~alpine/devel@lists.alpinelinux.org
Subject: Re: CVE-2021-3156 version number of sudo
Message-ID: <20230316130832.49344745@ncopa-desktop.lan>
In-Reply-To: <A3BBFD61-8DED-453B-8827-BCD02699C49B@docker.com>
References: <A3BBFD61-8DED-453B-8827-BCD02699C49B@docker.com>
X-Mailer: Claws Mail 4.1.1 (GTK 3.24.37; x86_64-alpine-linux-musl)
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On Thu, 16 Mar 2023 12:12:47 +0100
Christian Dupuis <christian.dupuis@docker.com> wrote:

> Hi,
>=20
> is it possible that there*s a typo in the version number '1.9.5p2-r0'
> of *sudo' in CVE-2021-3156? Should the version number be
> '1.9.5_p2-r0* instead?

I agree that it looks like a typo, but I think it is correct.

See:
https://gitlab.alpinelinux.org/alpine/aports/-/commit/7b07d36c9c463eb0692ff=
58146f01d3dffe8c454

Seems like we have used both `pN` and `_pN` hitorically and apk-tools under=
stands both formats.

The very first sudo commit[0] in 2008 used `pkgver=3D1.6.9_p17`.

First time the format `pN` was used was in 2011 which did:

    -pkgver=3D1.7.4_p5
    +pkgver=3D1.7.4p6

[0]: https://gitlab.alpinelinux.org/alpine/aports/-/commit/f0d3bff8bafec4b3=
da291a2a71c98b69b8e170e6
[1]: https://gitlab.alpinelinux.org/alpine/aports/-/commit/8ccfff342c43a790=
a4faebe4b0e39230023757a6

And then it has switched back and forth over the time. We have had:
1.8.1p1 (commit 497df9759f3fc62b00cec59b31781b4ec89c56bf)
1.8.3_p1 (commit 4e7d97a25281d5639c37b72bf8a7dd351b8c513b)
...
1.8.28p1 (commit 301bbcafabd063999d60f598c47de4972be2d72f)
...
1.9.3_p1 (commit b1d8dc07ad8a9db758d5b499f3376fcad016d8c4)
...
1.9.5p1

etc.

The `p` in sudo seems to mean "patch" release or similar, which
corresponds to the meaning `_p` in apk-tools. It does not mean the same
as 'p' in openssl's 1.1.1p.

So going forward we should probably stick to _p, even if we have not
been consistent with this in the past.

Thanks!

>=20
> Wondering because we are getting some reports and people seem to
> consider the finding a false positive.
>=20
> Regards,
>=20
> Christian Dupuis
> Docker