Joined: 12 May 2004
|Posted: Tue Mar 06, 2012 6:26 am Post subject: [ GLSA 201203-06 ] sudo: Privilege escalation
|Gentoo Linux Security Advisory
Title: sudo: Privilege escalation (GLSA 201203-06)
Date: March 06, 2012
Bug(s): #351490, #401533
Two vulnerabilities have been discovered in sudo, allowing local
attackers to possibly gain escalated privileges.
sudo allows a system administrator to give users the ability to run
commands as other users.
Vulnerable: < 1.8.3_p2
Unaffected: >= 1.8.3_p2
Unaffected: >= 1.7.4_p5 < 1.7.5
Architectures: All supported architectures
Two vulnerabilities have been discovered in sudo:
- When the sudoers file is configured with a Runas group, sudo does not
prompt for a password when changing to the new group (CVE-2011-0010).
- A format string vulnerability exists in the "sudo_debug()" function
A local attacker could possibly gain the ability to run arbitrary
commands with the privileges of other users or groups, including root.
There is no known workaround at this time.
All sudo users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/sudo-1.8.3_p2"