Gentoo Logo

sudo: Arbitrary command execution


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200506-22 / sudo
Release Date June 23, 2005
Latest Revision June 23, 2005: 01
Impact normal
Exploitable local
Package Vulnerable versions Unaffected versions Architecture(s)
app-admin/sudo < 1.6.8_p9 >= 1.6.8_p9 All supported architectures

Related bugreports: #96618


A vulnerability in sudo may allow local users to elevate privileges.

2.  Impact Information


sudo allows a system administrator to give users the ability to run commands as other users.


The sudoers file is used to define the actions sudo users are permitted to perform. Charles Morris discovered that a specific layout of the sudoers file could cause the results of an internal check to be clobbered, leaving sudo vulnerable to a race condition.


Successful exploitation would permit a local sudo user to execute arbitrary commands as another user.

3.  Resolution Information


Reorder the sudoers file using the visudo utility to ensure the 'ALL' pseudo-command precedes other command definitions.


All sudo users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/sudo-1.6.8_p9"

4.  References


Page updated June 23, 2005

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.