Summary: | <app-admin/sudo-1.7.2_p4: Privilege escalation bug with sudoedit (CVE-2010-{0426,0427}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tobias Heinlein (RETIRED) <keytoaster> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | critical | CC: | base-system |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.sudo.ws/sudo/alerts/sudoedit_escalate.html | ||
Whiteboard: | A1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Tobias Heinlein (RETIRED)
2010-02-25 20:44:59 UTC
Diego allowed me to bump it, which I just did. Arches, please test and mark stable: =app-admin/sudo-1.7.2_p4 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" x86 stable ppc64 done Stable for HPPA. Stable for PPC. amd64 stable. CVE-2010-0426 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0426): sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4, when a pseudo-command is enabled, permits a match between the name of the pseudo-command and the name of an executable file in an arbitrary directory, which allows local users to gain privileges via a crafted executable file, as demonstrated by a file named sudoedit in a user's home directory. CVE-2010-0427 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0427): sudo 1.6.x before 1.6.9p21, when the runas_default option is used, does not properly set group memberships, which allows local users to gain privileges via a sudo command. alpha/arm/ia64/m68k/s390/sh/sparc stable GLSA request filed. MIPS guys: please see to add ~mips ASAP In [0] points some new issues with sudoedit. This affects up to 1.7.2p5. [0] http://sudo.ws/sudo/alerts/sudoedit_escalate2.html p6 is in tree, since p6 is a different (but related) problem and p4 is all stable, maybe a new bug? (In reply to comment #12) > p6 is in tree, since p6 is a different (but related) problem and p4 is all > stable, maybe a new bug? > Right. I just filed bug 321697. This bug here is fixed, it's only kept open for ~mips. just for the record, as I didn't see it mentioned... this was GLSA 201003-01 |