There has been some traffic online this year regarding an apparently substantial vulnerability in sudo that allows unauthorized privilege elevation - CVE-2021-3156.
I've been checking sudo --version since I first heard of this, but after tonight's full-upgrade, I am still at sudo ver 1.8.27 which was originally released in Jan 2019. Has anyone heard if there's any movement on this, or if Debian or RPi OS are not affected?
This vulnerability can be trivially tested:
To test whether your version of sudo is vulnerable, the following command can be used:
sudoedit -s /
A vulnerable version of sudo will either prompt for a password or display an error similar to:
sudoedit: /: not a regular file
A patched version of sudo will simply display a usage statement, for example:
usage: sudoedit [-AknS] [-a type] [-C num] [-c class] [-D directory] [-g group]
I have just run this command on an up-to-date Pi OS, and it's indeed patched.
While there are exceptions, generally stable releases of Linux distros backport important security fixes rather than packaging new upstream versions. They do this because the new upstream versions usually contain unrelated changes and every additional change brings more risk of regressions.
Unfortunately in most cases (again there are exceptions), the output of "program --version" only indicates the upstream version, not the distro-specific revisions. So it is not generally a good indication of whether a security fix has been applied.
Generally security fixes will be listed in the package's changelog which can be found at /usr/share/doc/<package>/changelog.Debian.gz. You can also check the installed version of the package against Debian's security tracker.
Debian addressed CVE-2021-3156 in version 1.8.27-1+deb10u3 and that quickly filtered its way down to Raspbian. There have however been some more minor issues raised since then that Debian has not seen fit to issue a security update for.
If you’ve updated then it is already fixed.
Fixed in version 1.8.27-1+deb10u3.
Debian's sudo was fixed in 1.8.27-1+deb10u3 on January, 20th (almost 7 weeks ago). That fix "trickled down" into Raspberry OS almost immediately.
If you update your system regularly, you should have gotten this version weeks ago. If you don't have this version, then you need to examine your update settings and investigate why you didn't get this version. Maybe you have manually pinned sudo to a specific version? Maybe you think you are running unattended updates automatically but there is a mistake in your configuration that prevents those updates from happening?
