CVE-2021-3156 sudo vulnerability: details & workaround

https://www.sudo.ws/download.html#binary
Refer to above URL, can only locate TCMsudo (which after installing, the
sudo won't run, giving the error below.  Is there any CSWsudo package
somewhere that we can download?  Not used to compile fr source codes.
libssp.so.0 is present in my Solaris 10 & I can't install it again.

# sudo
"ld.so.1: sudo: fatal: libssp.so.0: open failed: No such file or directory
  Killed"

I think the libssp.so.0 problem I faced is due to my root partition
in Solaris filling up.

The link https://itsfoss.community/t/cve-2021-3156-sudo-vulnerability/6194
says 'Solaris ... will be tricky' without offering a patch or fixed binary


Just tested on my updated RHEL 7.9  and I'm confused: should a
"/"  follow after sudoedit ?

[root@ /]# cd /usr/bin
[1]+  Exit 1                  find . -name sudoedit -print  (wd: /)
(wd now: /usr/bin)
[root@ /bin]# ./sudoedit
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-D directory] [-g group]
                [-h host] [-p prompt] [-R directory] [-T timeout] [-u user]
                file ...
[root@/bin]# ./sudoedit /
sudoedit: /: not a regular file
[root@/bin]# rpm -qa |grep -i sudo
sudo-1.9.5-3.el7.x86_64



on an unpatched Solaris, tested the following:

# /opt/csw/bin/sudoedit /
sudoedit: /: not a regular file
# /opt/csw/bin/sudoedit
usage: sudoedit [-AknS] [-C num] [-g group] [-h host] [-p prompt] [-T timeout]
                [-u user] file ...

Think I misunderstood the test:  basically I'll need to issue
sudoedit -s /

So on my updated RHEL (the fixed sudo), I got:
[root@/ bin]# /usr/bin/sudoedit -s /
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-D directory] [-g group] [-h
                host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...

& on my unpatched Solaris, I got:
# /opt/csw/bin/sudoedit -s /
sudoedit: /: not a regular file

Have restored back the Solaris 10 x86 VM from snapshot backup
& housekeep the root partition:

sudo (of the SMCsudo 1.8.1p1) works: I deinstall it & installed
the TCMsudo (1.9.5p2) & again got the error below when issuing
sudo:

# sudo
ld.so.1: sudo: fatal: libssp.so.0: open failed: No such file or directory
Killed

Then I download from CSW the following package & install it but
still getting the same above issue:


# pkgadd -d ./libssp0-5.5.0,REV=2017.10.23-SunOS5.10-i386-CSW.pkg

The following packages are available:
  1  CSWlibssp0     libssp0 - The GNU Compiler Collection, libssp.so.0
                    (i386) 5.5.0,REV=2017.10.23

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]: all

Processing package instance <CSWlibssp0> from </tmp/tcmsudo/libssp0-5.5.0,REV=2017.10.23-SunOS5.10-i386-CSW.pkg>

libssp0 - The GNU Compiler Collection, libssp.so.0(i386) 5.5.0,REV=2017.10.23
Please see /opt/csw/share/doc/libssp0/license for license information.
## Processing package information.
## Processing system information.
## Verifying package dependencies.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.

Installing libssp0 - The GNU Compiler Collection, libssp.so.0 as <CSWlibssp0>

## Installing part 1 of 1.
/opt/csw/lib/amd64/libssp.so.0 <symbolic link>
/opt/csw/lib/amd64/libssp.so.0.0.0
/opt/csw/lib/libssp.so.0 <symbolic link>
/opt/csw/lib/libssp.so.0.0.0
/opt/csw/share/doc/libssp0/license
[ verifying class <none> ]

Installation of <CSWlibssp0> was successful.

# sudo
ld.so.1: sudo: fatal: libssp.so.0: open failed: No such file or directory
Killed

Sorry didn't manage to reply earlier.
>So this doesn't even work for u ?
>https://www.opencsw.org/packages/CSWsudo/
I was navigating above URL but there's no installable
Solaris package I can download from it to install.  It's
only the source codes.  The 2 links "SourceForge, OpenGrok"
will lead me to TCMsudo, not CSWsudo.  Did I miss anything?


My colleague restored back entire Solaris 10 VM from backup &
here's the output I got (didn't manage to issue those commands
after installing latest 1.9.5p2 sudo & before he restored):

Noci's suggestion: (no indication of the missing libssp.s0.0)
# ldd $( which sudo )
        libiconv.so.2 =>         /usr/local/lib/libiconv.so.2
        libsec.so.1 =>   /usr/lib/libsec.so.1
        libc.so.1 =>     /usr/lib/libc.so.1
        libsocket.so.1 =>        /usr/lib/libsocket.so.1
        libgcc_s.so.1 =>         /usr/local/lib/libgcc_s.so.1
        libnsl.so.1 =>   /usr/lib/libnsl.so.1
        libavl.so.1 =>   /lib/libavl.so.1
        libmp.so.2 =>    /lib/libmp.so.2
        libmd.so.1 =>    /lib/libmd.so.1
        libscf.so.1 =>   /lib/libscf.so.1
        libdoor.so.1 =>  /lib/libdoor.so.1
        libuutil.so.1 =>         /lib/libuutil.so.1
        libgen.so.1 =>   /lib/libgen.so.1
        libm.so.2 =>     /lib/libm.so.2

>That sudo doesn't use libssp.so.0 ==> probably your sudo is a different one.
I think the TCMsudo use libssp, not the SMCsudo & not the CSWsudo

>Is there an alias reffering to a different sudo?
None, as shown below:
# alias
autoload='typeset -fu'
command='command '
functions='typeset -f'
history='fc -l'
integer='typeset -i'
local=typeset
ls=/usr/bin/ls
nohup='nohup '
r='fc -e -'
stop='kill -STOP'
suspend='kill -STOP $$'

>Is there a different path?
After restore back, following is my PATH but didn't get to capture the PATH when TCmsudo was installed:
# echo $PATH
/usr/sbin:/usr/bin::/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/sbin:/usr/local/apache-flume-1.8.0-bin/bin


> https://www.sudo.ws/download.html#binary
Yes, above is the only updated (1.9.5p2) binary sudo for Solaris that I could find
& it's TCMsudo.  Can't locate any binary of this version for CSW or SMC sudo

>is there specific that you are looking at as the original package should suffice
I'm ok to use TCMsudo if it works on our Solaris 10 x86 but after installing it,
it gave the libssp0 error & it's not just a message, the sudo can't work at all