Hi,
is it possible that there’s a typo in the version number '1.9.5p2-r0' of ‘sudo' in CVE-2021-3156? Should the version number be '1.9.5_p2-r0’ instead?
Wondering because we are getting some reports and people seem to consider the finding a false positive.
Regards,
Christian Dupuis
Docker
On Thu, 16 Mar 2023, Christian Dupuis wrote:
> is it possible that there’s a typo in the version number '1.9.5p2-r0' of ‘sudo' in CVE-2021-3156? Should the version number be '1.9.5_p2-r0’ instead?
So, https://security.alpinelinux.org/vuln/CVE-2021-3156 (and NVD too)
states "Sudo before 1.9.5p2 contains...", I don't know where this
"1.9.5_p2" is coming from. But, sudo 1.9.5p2[0] is from 2021 (i.e. Alpine
v3.12[1]), so I'm curious to know what this question is really about :-)
C.
[0] https://www.sudo.ws/releases/stable/#1.9.5p2
[1] https://pkgs.alpinelinux.org/package/v3.12/main/x86_64/sudo
--
BOFH excuse #451:
astropneumatic oscillations in the water-cooling
On Thu, 16 Mar 2023 12:12:47 +0100
Christian Dupuis <christian.dupuis@docker.com> wrote:
> Hi,> > is it possible that there*s a typo in the version number '1.9.5p2-r0'> of *sudo' in CVE-2021-3156? Should the version number be> '1.9.5_p2-r0* instead?
I agree that it looks like a typo, but I think it is correct.
See:
https://gitlab.alpinelinux.org/alpine/aports/-/commit/7b07d36c9c463eb0692ff58146f01d3dffe8c454
Seems like we have used both `pN` and `_pN` hitorically and apk-tools understands both formats.
The very first sudo commit[0] in 2008 used `pkgver=1.6.9_p17`.
First time the format `pN` was used was in 2011 which did:
-pkgver=1.7.4_p5
+pkgver=1.7.4p6
[0]: https://gitlab.alpinelinux.org/alpine/aports/-/commit/f0d3bff8bafec4b3da291a2a71c98b69b8e170e6
[1]: https://gitlab.alpinelinux.org/alpine/aports/-/commit/8ccfff342c43a790a4faebe4b0e39230023757a6
And then it has switched back and forth over the time. We have had:
1.8.1p1 (commit 497df9759f3fc62b00cec59b31781b4ec89c56bf)
1.8.3_p1 (commit 4e7d97a25281d5639c37b72bf8a7dd351b8c513b)
...
1.8.28p1 (commit 301bbcafabd063999d60f598c47de4972be2d72f)
...
1.9.3_p1 (commit b1d8dc07ad8a9db758d5b499f3376fcad016d8c4)
...
1.9.5p1
etc.
The `p` in sudo seems to mean "patch" release or similar, which
corresponds to the meaning `_p` in apk-tools. It does not mean the same
as 'p' in openssl's 1.1.1p.
So going forward we should probably stick to _p, even if we have not
been consistent with this in the past.
Thanks!
> > Wondering because we are getting some reports and people seem to> consider the finding a false positive.> > Regards,> > Christian Dupuis> Docker
Thanks both.
We are really just trying to get the version range matching correct and stumbled over this as our code didn’t understand:
1.9.5p2-r0 < 1.9.12_p2-r0
Based on the findings here, we need to support that.
Thanks for insight.
Regards, cd
> On 16. Mar 2023, at 13:08, Natanael Copa <ncopa@alpinelinux.org> wrote:> > On Thu, 16 Mar 2023 12:12:47 +0100> Christian Dupuis <christian.dupuis@docker.com> wrote:> >> Hi,>> >> is it possible that there*s a typo in the version number '1.9.5p2-r0'>> of *sudo' in CVE-2021-3156? Should the version number be>> '1.9.5_p2-r0* instead?> > I agree that it looks like a typo, but I think it is correct.> > See:> https://gitlab.alpinelinux.org/alpine/aports/-/commit/7b07d36c9c463eb0692ff58146f01d3dffe8c454> > Seems like we have used both `pN` and `_pN` hitorically and apk-tools understands both formats.> > The very first sudo commit[0] in 2008 used `pkgver=1.6.9_p17`.> > First time the format `pN` was used was in 2011 which did:> > -pkgver=1.7.4_p5> +pkgver=1.7.4p6> > [0]: https://gitlab.alpinelinux.org/alpine/aports/-/commit/f0d3bff8bafec4b3da291a2a71c98b69b8e170e6> [1]: https://gitlab.alpinelinux.org/alpine/aports/-/commit/8ccfff342c43a790a4faebe4b0e39230023757a6> > And then it has switched back and forth over the time. We have had:> 1.8.1p1 (commit 497df9759f3fc62b00cec59b31781b4ec89c56bf)> 1.8.3_p1 (commit 4e7d97a25281d5639c37b72bf8a7dd351b8c513b)> ...> 1.8.28p1 (commit 301bbcafabd063999d60f598c47de4972be2d72f)> ...> 1.9.3_p1 (commit b1d8dc07ad8a9db758d5b499f3376fcad016d8c4)> ...> 1.9.5p1> > etc.> > The `p` in sudo seems to mean "patch" release or similar, which> corresponds to the meaning `_p` in apk-tools. It does not mean the same> as 'p' in openssl's 1.1.1p.> > So going forward we should probably stick to _p, even if we have not> been consistent with this in the past.> > Thanks!> >> >> Wondering because we are getting some reports and people seem to>> consider the finding a false positive.>> >> Regards,>> >> Christian Dupuis>> Docker