Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c])
	by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id 9F30522323D
	for <~alpine/devel@lists.alpinelinux.org>; Thu, 16 Mar 2023 12:11:34 +0000 (UTC)
Received: by mail-ed1-x52c.google.com with SMTP id y4so6771929edo.2
        for <~alpine/devel@lists.alpinelinux.org>; Thu, 16 Mar 2023 05:11:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=docker.com; s=google; t=1678968694;
        h=message-id:in-reply-to:to:references:date:subject:mime-version
         :content-transfer-encoding:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=x/97Ok+ic1xlvBGiNKhqm7jKLK2gx1sDcFUO7xaD/9U=;
        b=X6o5+4xfaZ725hlDwlZtVgKSHBi3CddhLRhmbh0T1YrbtHX3dA1+9M34lYaYaTsQcx
         XDALHPVkWOFBy+cfsoJzuBpnFtlOlFL4IYxgtCmgEMH7WoDlNkga5N9UKzOGRuuMMR9f
         nDhz/fE0DogE0bgYH9RsMLXizpYqzYV+cY0TE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112; t=1678968694;
        h=message-id:in-reply-to:to:references:date:subject:mime-version
         :content-transfer-encoding:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=x/97Ok+ic1xlvBGiNKhqm7jKLK2gx1sDcFUO7xaD/9U=;
        b=r4WX8a8mcCTCm6C40cuEbRMJibr6p+ewq3GFD4lRw/pn6AtVUp992/90UnkB5wuGal
         nfvvkfmWCkubLL1XN+58pbjqw4VAs3Lz7yigX/c90029Q6p/iykoCDao752uTyVfa6Pc
         5Lm+1xkRHUbRqwkC0p9skcbP34zHg6JbrzRWiWM8UzOkvC4PCJhYAh9JLTo7mLUYF00b
         JRYOguR9CIlSaUjmGnXEfD2IKtwr9vvPvUgYR0D7GPhuhH+ZXp9WTRONl45/7wz+/DR2
         lmwKn1X4ih4tY4mMEt3eTiNlL3X2MBIx6LN5mf6P6BoCxwoN22NwMIIFx5VsPHwu8OoY
         igKw==
X-Gm-Message-State: AO0yUKVNFYz215VhAVEGoDFmSa3afDfkHDjlMLfH45euOFs15OJbj4xA
	d0JejbSr+EAi9v6JC4VCmiN3CZDZ7D5Wv3VVWr7pxw==
X-Google-Smtp-Source: AK7set9uOd87j4YvMnOJzKCY8bLUwbBCBukbhX4qfusJgoH90AD2Z5klXhLfC33ax4ZJ6K8dipl2Hw==
X-Received: by 2002:a05:6402:48:b0:4fe:9643:4c77 with SMTP id f8-20020a056402004800b004fe96434c77mr5482780edu.31.1678968693808;
        Thu, 16 Mar 2023 05:11:33 -0700 (PDT)
Received: from smtpclient.apple (p200300c5cf13c0009137231f72e75872.dip0.t-ipconnect.de. [2003:c5:cf13:c000:9137:231f:72e7:5872])
        by smtp.gmail.com with ESMTPSA id 13-20020a50874d000000b004bf999f8e57sm3760456edv.19.2023.03.16.05.11.33
        for <~alpine/devel@lists.alpinelinux.org>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 16 Mar 2023 05:11:33 -0700 (PDT)
From: Christian Dupuis <christian.dupuis@docker.com>
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
Subject: Re: CVE-2021-3156 version number of sudo
Date: Thu, 16 Mar 2023 13:11:22 +0100
References: <A3BBFD61-8DED-453B-8827-BCD02699C49B@docker.com>
 <20230316130832.49344745@ncopa-desktop.lan>
To: ~alpine/devel@lists.alpinelinux.org
In-Reply-To: <20230316130832.49344745@ncopa-desktop.lan>
Message-Id: <81F478D6-B6DF-4E60-AFEF-0CDE8D6A5590@docker.com>
X-Mailer: Apple Mail (2.3731.400.51.1.1)

Thanks both.=20

We are really just trying to get the version range matching correct and =
stumbled over this as our code didn=E2=80=99t understand:

1.9.5p2-r0 < 1.9.12_p2-r0

Based on the findings here, we need to support that.

Thanks for insight.

Regards, cd

> On 16. Mar 2023, at 13:08, Natanael Copa <ncopa@alpinelinux.org> =
wrote:
>=20
> On Thu, 16 Mar 2023 12:12:47 +0100
> Christian Dupuis <christian.dupuis@docker.com> wrote:
>=20
>> Hi,
>>=20
>> is it possible that there*s a typo in the version number '1.9.5p2-r0'
>> of *sudo' in CVE-2021-3156? Should the version number be
>> '1.9.5_p2-r0* instead?
>=20
> I agree that it looks like a typo, but I think it is correct.
>=20
> See:
> =
https://gitlab.alpinelinux.org/alpine/aports/-/commit/7b07d36c9c463eb0692f=
f58146f01d3dffe8c454
>=20
> Seems like we have used both `pN` and `_pN` hitorically and apk-tools =
understands both formats.
>=20
> The very first sudo commit[0] in 2008 used `pkgver=3D1.6.9_p17`.
>=20
> First time the format `pN` was used was in 2011 which did:
>=20
>    -pkgver=3D1.7.4_p5
>    +pkgver=3D1.7.4p6
>=20
> [0]: =
https://gitlab.alpinelinux.org/alpine/aports/-/commit/f0d3bff8bafec4b3da29=
1a2a71c98b69b8e170e6
> [1]: =
https://gitlab.alpinelinux.org/alpine/aports/-/commit/8ccfff342c43a790a4fa=
ebe4b0e39230023757a6
>=20
> And then it has switched back and forth over the time. We have had:
> 1.8.1p1 (commit 497df9759f3fc62b00cec59b31781b4ec89c56bf)
> 1.8.3_p1 (commit 4e7d97a25281d5639c37b72bf8a7dd351b8c513b)
> ...
> 1.8.28p1 (commit 301bbcafabd063999d60f598c47de4972be2d72f)
> ...
> 1.9.3_p1 (commit b1d8dc07ad8a9db758d5b499f3376fcad016d8c4)
> ...
> 1.9.5p1
>=20
> etc.
>=20
> The `p` in sudo seems to mean "patch" release or similar, which
> corresponds to the meaning `_p` in apk-tools. It does not mean the =
same
> as 'p' in openssl's 1.1.1p.
>=20
> So going forward we should probably stick to _p, even if we have not
> been consistent with this in the past.
>=20
> Thanks!
>=20
>>=20
>> Wondering because we are getting some reports and people seem to
>> consider the finding a false positive.
>>=20
>> Regards,
>>=20
>> Christian Dupuis
>> Docker