Gentoo Logo

sudo: Privilege escalation

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200902-01 / sudo
Release Date February 06, 2009
Latest Revision February 06, 2009: 01
Impact high
Exploitable local
Package Vulnerable versions Unaffected versions Architecture(s)
app-admin/sudo < 1.7.0 >= 1.7.0 All supported architectures

Related bugreports: #256633

Synopsis

A vulnerability in sudo may allow for privilege escalation.

2.  Impact Information

Background

sudo allows a system administrator to give users the ability to run commands as other users.

Description

Harald Koenig discovered that sudo incorrectly handles group specifications in Runas_Alias (and related) entries when a group is specified in the list (using %group syntax, to allow a user to run commands as any member of that group) and the user is already a member of that group.

Impact

A local attacker could possibly run commands as an arbitrary system user (including root).

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All sudo users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/sudo-1.7.0"

4.  References

Print

Updated February 06, 2009

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Support OSL
Gentoo Centric Hosting: vr.org
Tek Alchemy
SevenL.net
Global Netoptex Inc.
Bytemark
Online Kredit Index
Copyright 2001-2009 Gentoo Foundation, Inc. Questions, Comments? Contact us.