15

How do I upgrade sudo to version 1.9.5p2? I use Ubuntu 20.04. I have already tried:

sudo apt-get update 
sudo apt-get upgrade

But I am still on version 1.8.31.

BeastOfCaerbannog
  • 14,585
Lochness
  • 171

2 Answers2

23

This vulnerability was mitigated by the Ubuntu Security Team on 19 January 2021.

See https://ubuntu.com/security/CVE-2021-3156.

sudo 1.8.31 was patched, which is the normal way of handling most CVEs. The Ubuntu 20.04 package was bumped from 1.8.31-1ubuntu1.1 to 1.8.31-1ubuntu1.2 due to the patches. The 20.04 package won't be upgraded to 1.9.x.

Most users already have the patched version installed: Security updates are automatically detected and installed by your Ubuntu system's Unattended Upgrades application without any user action needed.

How to determine if you are using the patched package: Since this was a patch instead of a new upstream release, sudo --version will merely (and correctly) return 1.18.31 which won't help you. Instead, use apt. Here's an example using apt list. Note the NEW package version (1.8.31-1ubuntu1.2) is installed.

$ apt list sudo
Listing... Done
sudo/focal-updates,focal-security,now 1.8.31-1ubuntu1.2 amd64 [installed]
user535733
  • 62,253
  • apt list sudo En train de lister... Fait sudo/groovy,now 1.9.1-1ubuntu1 amd64 [installé] sudo/groovy 1.9.1-1ubuntu1 i386

    i dont have 1.2 version, so its not patched?

     – Matrix Feb 04 '21 at 11:30
  • 1
    @Matrix you are obviously not running 20.04, so the version numbers will be different, of course. 1) Use the link. Look up the correct version for your release of Ubuntu. 2) Determine if you are using that package. If not, then run sudo apt update and sudo apt upgrade. If you still have a problem after that, then see https://askubuntu.com/questions/563408/how-can-i-tell-if-a-cve-has-been-fixed-in-ubuntus-repositories – user535733 Feb 05 '21 at 16:23
8

To check whether sudo is vulnerable to CVE-2021-3156 the maintainers recommend doing:

 sudoedit -s '\' `perl -e 'print "A" x 65536'`

If the sudo is patched it will respond with an error that starts with “usage:”.

dr0i
  • 249
  • 1
  • 7
  • 5
    This command is the command that upstream sudo maintainers recommend as a method to check whether sudo is vulnerable to CVE-2021-3156 or not: https://www.sudo.ws/alerts/unescape_overflow.html – raj Jan 28 '21 at 13:34
  • 1
    That explanation should be in the answer. We don't want folks to misunderstand and think this code applies to all patched software everywhere. – user535733 Jan 28 '21 at 13:37
  • Took explanation of @raj into the answer. – dr0i Jan 28 '21 at 15:47