[CVE-2009-0034] For some non-standard /etc/sudoers root escalation is possible
Bug #328964 reported by
Andreas Wenning
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sudo (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Dapper |
Invalid
|
Undecided
|
Unassigned | ||
Gutsy |
Invalid
|
Undecided
|
Unassigned | ||
Hardy |
Fix Released
|
Undecided
|
Kees Cook | ||
Intrepid |
Fix Released
|
Undecided
|
Kees Cook |
Bug Description
Binary package hint: sudo
CVE-2009-0034: http://
parse.c in sudo 1.6.9p17 through 1.6.9p19 does not properly interpret a system group (aka %group) in the sudoers file during authorization decisions for a user who belongs to that group, which allows local users to leverage an applicable sudoers file and gain root privileges via a sudo command.
Patch:
http://
Mandriva has updated packages from 1.6.9p5 through 1.6.9p17, so looks like all releases are affected (dapper through jaunty): http://
CVE References
To post a comment you must log in.
Jaunty just got fixed:
sudo (1.6.9p17-1ubuntu3) jaunty; urgency=low
* SECURITY UPDATE: privilege escalation via non-default system groups. www.sudo. ws/cgi- bin/cvsweb/ sudo/parse. c?r1=1. 160.2.21& r2=1.160. 2.22
- parse.c: upstream fix for CVE-2009-0034:
http://