GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Tue Mar 06, 2012 6:26 am Post subject: [ GLSA 201203-06 ] sudo: Privilege escalation |
|
|
Gentoo Linux Security Advisory
Title: sudo: Privilege escalation (GLSA 201203-06)
Severity: high
Exploitable: local
Date: March 06, 2012
Bug(s): #351490, #401533
ID: 201203-06
Synopsis
Two vulnerabilities have been discovered in sudo, allowing local
attackers to possibly gain escalated privileges.
Background
sudo allows a system administrator to give users the ability to run
commands as other users.
Affected Packages
Package: app-admin/sudo
Vulnerable: < 1.8.3_p2
Unaffected: >= 1.8.3_p2
Unaffected: >= 1.7.4_p5 < 1.7.5
Architectures: All supported architectures
Description
Two vulnerabilities have been discovered in sudo: - When the sudoers file is configured with a Runas group, sudo does not
prompt for a password when changing to the new group (CVE-2011-0010).
- A format string vulnerability exists in the "sudo_debug()" function
(CVE-2012-0809).
Impact
A local attacker could possibly gain the ability to run arbitrary
commands with the privileges of other users or groups, including root.
Workaround
There is no known workaround at this time.
Resolution
All sudo users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/sudo-1.8.3_p2"
|
References
CVE-2011-0010
CVE-2012-0809 |
|