Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 401533 (CVE-2012-0809) - <app-admin/sudo-1.8.3_p2 : format string vulnerability (CVE-2012-0809)
Summary: <app-admin/sudo-1.8.3_p2 : format string vulnerability (CVE-2012-0809)
Alias: CVE-2012-0809
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
Whiteboard: A1 [glsa]
Depends on:
Reported: 2012-01-30 15:40 UTC by Agostino Sarubbo
Modified: 2012-03-06 02:03 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-01-30 15:40:43 UTC
From the upstream advisory at $URL:

Sudo versions affected:
1.8.0 through 1.8.3p1 inclusive. Older versions of sudo are not affected.

Sudo 1.8.0 introduced simple debugging support that was primarily intended for use when developing policy or I/O logging plugins. The sudo_debug() function contains a flaw where the program name is used as part of the format string passed to the fprintf() function. The program name can be controlled by the caller, either via a symbolic link or, on some systems, by setting argv[0] when executing sudo. For example:
    $ ln -s /usr/bin/sudo ./%s
    $ ./%s -D9
    Segmentation fault
Using standard format string vulnerability exploitation techniques it is possible to leverage this bug to achieve root privileges.

The bug is fixed in sudo 1.8.3p2. Sudo version 1.8.3p1 may be updated to version 1.8.3p2 via the file sudo-1.8.3p2.patch.gz. For sudo versions 1.8.0-1.8.3, the patch to sudo.c in sudo-1.8.3p2.patch.gz will also apply.
Comment 1 SpanKY gentoo-dev 2012-01-30 16:41:04 UTC
1.8.3_p2 now in the tree
Comment 2 Agostino Sarubbo gentoo-dev 2012-01-30 16:49:41 UTC
(In reply to comment #1)
> 1.8.3_p2 now in the tree

Thanks Mike.

Arches, please test and mark stable:
Target KEYWORDS : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2012-01-30 18:06:00 UTC
amd64 stable
Comment 4 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-01-30 22:01:24 UTC
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2012-01-30 22:56:37 UTC
Stable for HPPA.
Comment 6 Brent Baude (RETIRED) gentoo-dev 2012-02-01 17:24:46 UTC
ppc done
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2012-02-04 15:32:59 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2012-02-20 05:14:31 UTC
CVE-2012-0809 (
  Format string vulnerability in the sudo_debug function in Sudo 1.8.0 through
  1.8.3p1 allows local users to execute arbitrary code via format string
  sequences in the program name for sudo.
Comment 9 Brent Baude (RETIRED) gentoo-dev 2012-03-03 14:38:25 UTC
ppc64 done
Comment 10 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-03 14:42:44 UTC
Thanks, everyone. Already on existing GLSA draft.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-03-06 02:03:50 UTC
This issue was resolved and addressed in
 GLSA 201203-06 at
by GLSA coordinator Sean Amoss (ackle).