0007011: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

ID	Project	Category	View Status	Date Submitted	Last Update

0007011	Kali Linux	General Bug	public	2021-01-27 00:30	2021-06-30 08:49

Reporter	X0RW3LL	Assigned To	rhertzog
Priority	normal	Severity	major	Reproducibility	always
Status	resolved	Resolution	fixed
Product Version	2020.4

Summary	0007011: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)
Description	As per the vulnerability disclosure: https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit "affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration" The current sudo package shipped with the latest Kali package upgrades is 1.9.5p1-1, which is the bullseye vulnerable version: https://security-tracker.debian.org/tracker/CVE-2021-3156 The issue was fixed in sid, sudo version 1.9.5p1-1.1
Steps To Reproduce	To test if a system is vulnerable or not, login to the system as a non-root user. Run command “sudoedit -s /” If the system is vulnerable, it will respond with an error that starts with “sudoedit:” If the system is patched, it will respond with an error that starts with “usage:”

Date Modified	Username	Field	Change
2021-01-27 00:30	X0RW3LL	New Issue
2021-01-27 10:19	rhertzog	Assigned To	=> rhertzog
2021-01-27 10:19	rhertzog	Status	new => resolved
2021-01-27 10:19	rhertzog	Resolution	open => fixed
2021-01-27 10:19	rhertzog	Note Added: 0014141
2021-06-30 08:49	g0tmi1k	Priority	urgent => normal

rhertzog 2021-01-27 10:19 administrator ~0014141	Fixed version 1.9.5p1-1.1 is in kali-rolling. Version 1.9.5p2-1 will come in a few days after the usual delay due to migration from unstable to testing then to kali-dev and to kali-rolling.