~alpine/devel

3 3

CVE-2021-3156 version number of sudo

Christian Dupuis <christian.dupuis@docker.com>
Details
Message ID
<A3BBFD61-8DED-453B-8827-BCD02699C49B@docker.com>
DKIM signature
missing
Download raw message
1 year, 1 month ago 
Hi,

is it possible that there’s a typo in the version number '1.9.5p2-r0' of ‘sudo' in CVE-2021-3156? Should the version number be '1.9.5_p2-r0’ instead?

Wondering because we are getting some reports and people seem to consider the finding a false positive.

Regards,

Christian Dupuis
Docker
Christian Kujau <lists@nerdbynature.de>
Details
Message ID
<4e6896b6-d218-aa6d-4189-a1f43eaf543d@nerdbynature.de>
In-Reply-To
<A3BBFD61-8DED-453B-8827-BCD02699C49B@docker.com> (view parent)
DKIM signature
missing
Download raw message
1 year, 1 month ago 
On Thu, 16 Mar 2023, Christian Dupuis wrote:
> is it possible that there’s a typo in the version number '1.9.5p2-r0' of ‘sudo' in CVE-2021-3156? Should the version number be '1.9.5_p2-r0’ instead?

So, https://security.alpinelinux.org/vuln/CVE-2021-3156 (and NVD too) 
states "Sudo before 1.9.5p2 contains...", I don't know where this 
"1.9.5_p2" is coming from. But, sudo 1.9.5p2[0] is from 2021 (i.e. Alpine 
v3.12[1]), so I'm curious to know what this question is really about :-)

C.

[0] https://www.sudo.ws/releases/stable/#1.9.5p2
[1] https://pkgs.alpinelinux.org/package/v3.12/main/x86_64/sudo
-- 
BOFH excuse #451:

astropneumatic oscillations in the water-cooling
Natanael Copa <ncopa@alpinelinux.org>
Details
Message ID
<20230316130832.49344745@ncopa-desktop.lan>
In-Reply-To
<A3BBFD61-8DED-453B-8827-BCD02699C49B@docker.com> (view parent)
DKIM signature
missing
Download raw message
1 year, 1 month ago 
On Thu, 16 Mar 2023 12:12:47 +0100
Christian Dupuis <christian.dupuis@docker.com> wrote:

> Hi,
> 
> is it possible that there*s a typo in the version number '1.9.5p2-r0'
> of *sudo' in CVE-2021-3156? Should the version number be
> '1.9.5_p2-r0* instead?

I agree that it looks like a typo, but I think it is correct.

See:
https://gitlab.alpinelinux.org/alpine/aports/-/commit/7b07d36c9c463eb0692ff58146f01d3dffe8c454

Seems like we have used both `pN` and `_pN` hitorically and apk-tools understands both formats.

The very first sudo commit[0] in 2008 used `pkgver=1.6.9_p17`.

First time the format `pN` was used was in 2011 which did:

    -pkgver=1.7.4_p5
    +pkgver=1.7.4p6

[0]: https://gitlab.alpinelinux.org/alpine/aports/-/commit/f0d3bff8bafec4b3da291a2a71c98b69b8e170e6
[1]: https://gitlab.alpinelinux.org/alpine/aports/-/commit/8ccfff342c43a790a4faebe4b0e39230023757a6

And then it has switched back and forth over the time. We have had:
1.8.1p1 (commit 497df9759f3fc62b00cec59b31781b4ec89c56bf)
1.8.3_p1 (commit 4e7d97a25281d5639c37b72bf8a7dd351b8c513b)
...
1.8.28p1 (commit 301bbcafabd063999d60f598c47de4972be2d72f)
...
1.9.3_p1 (commit b1d8dc07ad8a9db758d5b499f3376fcad016d8c4)
...
1.9.5p1

etc.

The `p` in sudo seems to mean "patch" release or similar, which
corresponds to the meaning `_p` in apk-tools. It does not mean the same
as 'p' in openssl's 1.1.1p.

So going forward we should probably stick to _p, even if we have not
been consistent with this in the past.

Thanks!

> 
> Wondering because we are getting some reports and people seem to
> consider the finding a false positive.
> 
> Regards,
> 
> Christian Dupuis
> Docker
Christian Dupuis <christian.dupuis@docker.com>
Details
Message ID
<81F478D6-B6DF-4E60-AFEF-0CDE8D6A5590@docker.com>
In-Reply-To
<20230316130832.49344745@ncopa-desktop.lan> (view parent)
DKIM signature
missing
Download raw message
1 year, 1 month ago 
Thanks both. 

We are really just trying to get the version range matching correct and stumbled over this as our code didn’t understand:

1.9.5p2-r0 < 1.9.12_p2-r0

Based on the findings here, we need to support that.

Thanks for insight.

Regards, cd

> On 16. Mar 2023, at 13:08, Natanael Copa <ncopa@alpinelinux.org> wrote:
> 
> On Thu, 16 Mar 2023 12:12:47 +0100
> Christian Dupuis <christian.dupuis@docker.com> wrote:
> 
>> Hi,
>> 
>> is it possible that there*s a typo in the version number '1.9.5p2-r0'
>> of *sudo' in CVE-2021-3156? Should the version number be
>> '1.9.5_p2-r0* instead?
> 
> I agree that it looks like a typo, but I think it is correct.
> 
> See:
> https://gitlab.alpinelinux.org/alpine/aports/-/commit/7b07d36c9c463eb0692ff58146f01d3dffe8c454
> 
> Seems like we have used both `pN` and `_pN` hitorically and apk-tools understands both formats.
> 
> The very first sudo commit[0] in 2008 used `pkgver=1.6.9_p17`.
> 
> First time the format `pN` was used was in 2011 which did:
> 
>    -pkgver=1.7.4_p5
>    +pkgver=1.7.4p6
> 
> [0]: https://gitlab.alpinelinux.org/alpine/aports/-/commit/f0d3bff8bafec4b3da291a2a71c98b69b8e170e6
> [1]: https://gitlab.alpinelinux.org/alpine/aports/-/commit/8ccfff342c43a790a4faebe4b0e39230023757a6
> 
> And then it has switched back and forth over the time. We have had:
> 1.8.1p1 (commit 497df9759f3fc62b00cec59b31781b4ec89c56bf)
> 1.8.3_p1 (commit 4e7d97a25281d5639c37b72bf8a7dd351b8c513b)
> ...
> 1.8.28p1 (commit 301bbcafabd063999d60f598c47de4972be2d72f)
> ...
> 1.9.3_p1 (commit b1d8dc07ad8a9db758d5b499f3376fcad016d8c4)
> ...
> 1.9.5p1
> 
> etc.
> 
> The `p` in sudo seems to mean "patch" release or similar, which
> corresponds to the meaning `_p` in apk-tools. It does not mean the same
> as 'p' in openssl's 1.1.1p.
> 
> So going forward we should probably stick to _p, even if we have not
> been consistent with this in the past.
> 
> Thanks!
> 
>> 
>> Wondering because we are getting some reports and people seem to
>> consider the finding a false positive.
>> 
>> Regards,
>> 
>> Christian Dupuis
>> Docker
Reply to thread Export thread (mbox)