A vulnerability has been reported in Sudo, which can be exploited by malicious, local users to bypass certain security restrictions. The vulnerability is caused due to improper error handling within the Kerberos 5 authentication mechanism. This can be exploited to execute commands allowed by the Sudo configuration without proper authentication. NOTE: Successful exploitation requires that Sudo is linked directly with the Kerberos 5 libraries, and that the affected machine is a Kerberos 5 client. The vulnerability is reported in versions prior to 1.6.9.
CC'ing maintainer and setting whiteboard status.
Whoops, forgot CVE number. Thanks rbu.
As long as it is only linked against PAM it's not affected.
taviso is away...bump it?
(In reply to comment #4) > taviso is away...bump it? > Err, like jaervosz pointed out, we're not affected actually. ldd /usr/bin/sudo libpam.so.0 => /lib/libpam.so.0 (0xf7fb8000) libdl.so.2 => /lib/libdl.so.2 (0xf7fa0000) libc.so.6 => /lib/libc.so.6 (0xf7e3c000) /lib/ld-linux.so.2 (0xf7fd8000) And from the ebuild: # TODO: Fix support for krb4 and krb5 So closing this one as invalid.