Sudo Vulnerability

01-31-2012, 03:36 PM

On 31.01.2012 17:37, Kevin Chadwick wrote:
>
> http://www.sudo.ws/sudo/alerts/sudo_debug.html
>
> Is sudo on arch built with?
>
> -D_FORTIFY_SOURCE=2

yes

>
> I couldn't find it in makepkg.conf anyway?
>

You should merge the .pacnew

--
Florian Pritz

01-31-2012, 03:36 PM

On 31 January 2012 18:37, Kevin Chadwick <ma1l1ists@yahoo.co.uk> wrote:
>
> http://www.sudo.ws/sudo/alerts/sudo_debug.html
>
> Is sudo on arch built with?
>
> -D_FORTIFY_SOURCE=2
>
> I couldn't find it in makepkg.conf anyway?
>
> --
> Kc
I got sudo 1.8.3.p2, which is said to fix the problem. Wait a bit for
your mirror to sync and it will be there.

--
Thanasis Georgiou

01-31-2012, 03:36 PM

On Tue, Jan 31, 2012 at 5:37 PM, Kevin Chadwick <ma1l1ists@yahoo.co.uk> wrote:
>
> http://www.sudo.ws/sudo/alerts/sudo_debug.html
>
> Is sudo on arch built with?
>
> -D_FORTIFY_SOURCE=2
>
> I couldn't find it in makepkg.conf anyway?

Is it
http://projects.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/sudo&id=3e4a55394d74313b58320a96272d3d6c401626dc
?

01-31-2012, 03:36 PM

On 01/31/2012 06:37 PM, Kevin Chadwick wrote:
>
> http://www.sudo.ws/sudo/alerts/sudo_debug.html
>
> Is sudo on arch built with?
>
> -D_FORTIFY_SOURCE=2
>

yes it is. we also have the version that is supposed to have the
vulnerability fixed.

> I couldn't find it in makepkg.conf anyway?
>

maybe you didn't merge makepkg.conf.pacnew.

--
IonuÈ›

01-31-2012, 03:37 PM

http://www.sudo.ws/sudo/alerts/sudo_debug.html

Is sudo on arch built with?

-D_FORTIFY_SOURCE=2

I couldn't find it in makepkg.conf anyway?

--
Kc

01-31-2012, 04:31 PM

On Tue, 31 Jan 2012 18:36:54 +0200
Ionut Biru wrote:

> > I couldn't find it in makepkg.conf anyway?
> >
>
> maybe you didn't merge makepkg.conf.pacnew.

It is there. I did a more /FORT rather than grep and it was
on the first page and so said wasn't found. When I actually compared it
to my build system it was staring me in the face on both machines :$

Glad I've found this. It seems there is a difference here between
OpenBSD and Arches more. On OpenBSD it searches what's displayed too.

--
Kc

01-31-2012, 04:37 PM

On Tue, Jan 31, 2012 at 6:31 PM, Kevin Chadwick <ma1l1ists@yahoo.co.uk> wrote:

> It is there. I did a more /FORT rather than grep
> It seems there is a difference here between OpenBSD and Arches more.

more +/FORT /etc/makepkg.conf works as expected, but indeed searching
while viewing yields 'pattern not found' for many, but not all,
strings.

01-31-2012, 04:42 PM

On Tue, 31 Jan 2012 17:31:17 +0000
Kevin Chadwick wrote:

> Glad I've found this. It seems there is a difference here between
> OpenBSD and Arches more. On OpenBSD it searches what's displayed too.

I'll use less from now on it's better anyway

--
Kc

01-31-2012, 06:30 PM

On Tue, 31 Jan 2012 18:37:20 +0100
Karol Blazewicz wrote:

> > It is there. I did a more /FORT rather than grep
> > It seems there is a difference here between OpenBSD and Arches more.
>
> more +/FORT /etc/makepkg.conf works as expected, but indeed searching
> while viewing yields 'pattern not found' for many, but not all,
> strings.

Indeed, OpenBSD exhibits the same behaviour for "FORT" so it's not a GPL
or GNUism.

Thankyou

--
Kc