Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 416281 (CVE-2012-2337) - <app-admin/sudo-1.8.5_p1 : Incorrect IP matching privilege escalation vulnerability (CVE-2012-2337)
Summary: <app-admin/sudo-1.8.5_p1 : Incorrect IP matching privilege escalation vulnera...
Alias: CVE-2012-2337
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
Whiteboard: A1 [glsa]
Depends on: 416371
  Show dependency tree
Reported: 2012-05-16 16:10 UTC by Tim Sammut (RETIRED)
Modified: 2012-07-09 22:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2012-05-16 16:10:44 UTC
From the upstream advisory at $URL:


A flaw exists in the IP network matching code in sudo versions 1.6.9p3 through 1.8.4p4 that may result in the local host being matched even though it is not actually part of the network described by the IP address and associated netmask listed in the sudoers file or in LDAP. As a result, users authorized to run commands on certain IP networks may be able to run commands on hosts that belong to other networks not explicitly listed in sudoers.

Sudo versions affected:

Sudo versions 1.6.9p3 through 1.8.4p4 inclusive are affected. The bug only has an effect when the sudoers file (or LDAP sudoers data) using a host specification that grants permissions using an IP address with an associated netmask, e.g. or


This vulnerability has been assigned CVE 2012-2337 in the Common Vulnerabilities and Exposures database.


Sudo supports granting access to commands on a per-host basis. The host specification may be in the form of a host name, a netgroup, an IP address, or an IP network (an IP address with an associated netmask).

When IPv6 support was added to sudo, a bug was introduced that caused the IPv6 network matching code to be called when an IPv4 network address does not match. Deepending on the value of the uninitialized portion of the IPv6 address, it is possible for the IPv4 network number to match when it should not. This bug only affects IP network matching and does not affect simple IP address matching.

The reported configuration that exhibited the bug was an LDAP-based sudo installation where the sudoRole object contained multiple sudoHost entries, each containing a different IPv4 network. File- based sudoers should be affected as well as the same matching code is used.


Exploitation of the bug requires that the user already be in the sudoers file (or sudoers LDAP data) and be granted access to commands on hosts on one or more IPv4 networks.

If sudoers does not include IP networks in the host specification portion of the sudoers rules, the bug has no effect.


The bug can be worked around by using netgroups, host names or IP addresses in place of IP networks in sudoers.


The bug is fixed in sudo 1.8.4p5 and 1.7.9p1.


The issue was reported internally to Red Hat Bugzilla.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2012-05-16 16:12:40 UTC
Thanks for the heads-up via email, Diego. Hopefully I'm not misunderstanding your note by calling arches now.

Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2012-05-16 16:33:11 UTC
Stable for HPPA.
Comment 3 Elijah "Armageddon" El Lazkani (amd64 AT) 2012-05-16 18:18:11 UTC
amd64: pass
Comment 4 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-05-17 08:57:09 UTC
x86 stable
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2012-05-17 18:45:51 UTC
Stable on alpha.
Comment 6 Maurizio Camisaschi (amd64 AT) 2012-05-18 13:52:37 UTC
amd64 ok
Comment 7 Agostino Sarubbo gentoo-dev 2012-05-19 14:02:25 UTC
amd64 stable
Comment 8 Mark Loeser (RETIRED) gentoo-dev 2012-05-20 06:57:59 UTC
ppc/ppc64 done
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-05-20 23:30:47 UTC
CVE-2012-2337 (
  sudo 1.6.x and 1.7.x before 1.7.9p1, and 1.8.x before 1.8.4p5, does not
  properly support configurations that use a netmask syntax, which allows
  local users to bypass intended command restrictions in opportunistic
  circumstances by executing a command on a host that has an IPv4 address.
Comment 10 Markus Meier gentoo-dev 2012-05-26 10:09:21 UTC
arm stable
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2012-05-26 17:21:30 UTC
ia64/m68k/s390/sh/sparc stable
Comment 12 Sean Amoss (RETIRED) gentoo-dev Security 2012-05-26 18:49:31 UTC
Thanks, everyone. Filing a new GLSA request.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-07-09 22:16:08 UTC
This issue was resolved and addressed in
 GLSA 201207-01 at
by GLSA coordinator Sean Amoss (ackle).