From the upstream advisory at $URL:
Sudo versions affected:
1.8.0 through 1.8.3p1 inclusive. Older versions of sudo are not affected.
Sudo 1.8.0 introduced simple debugging support that was primarily intended for use when developing policy or I/O logging plugins. The sudo_debug() function contains a flaw where the program name is used as part of the format string passed to the fprintf() function. The program name can be controlled by the caller, either via a symbolic link or, on some systems, by setting argv when executing sudo. For example:
$ ln -s /usr/bin/sudo ./%s
$ ./%s -D9
Using standard format string vulnerability exploitation techniques it is possible to leverage this bug to achieve root privileges.
The bug is fixed in sudo 1.8.3p2. Sudo version 1.8.3p1 may be updated to version 1.8.3p2 via the file sudo-1.8.3p2.patch.gz. For sudo versions 1.8.0-1.8.3, the patch to sudo.c in sudo-1.8.3p2.patch.gz will also apply.
1.8.3_p2 now in the tree
(In reply to comment #1)
> 1.8.3_p2 now in the tree
Arches, please test and mark stable:
Target KEYWORDS : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
Format string vulnerability in the sudo_debug function in Sudo 1.8.0 through
1.8.3p1 allows local users to execute arbitrary code via format string
sequences in the program name for sudo.
Thanks, everyone. Already on existing GLSA draft.
This issue was resolved and addressed in
GLSA 201203-06 at http://security.gentoo.org/glsa/glsa-201203-06.xml
by GLSA coordinator Sean Amoss (ackle).