Gentoo Logo

sudo: Privilege escalation


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 201203-06 / sudo
Release Date March 06, 2012
Latest Revision March 06, 2012: 1
Impact high
Exploitable local
Package Vulnerable versions Unaffected versions Architecture(s)
app-admin/sudo < 1.8.3_p2 >= 1.8.3_p2, revision >= 1.7.4_p5 All supported architectures

Related bugreports: #351490, #401533


Two vulnerabilities have been discovered in sudo, allowing local attackers to possibly gain escalated privileges.

2.  Impact Information


sudo allows a system administrator to give users the ability to run commands as other users.


Two vulnerabilities have been discovered in sudo:

  • When the sudoers file is configured with a Runas group, sudo does not prompt for a password when changing to the new group (CVE-2011-0010).
  • A format string vulnerability exists in the "sudo_debug()" function (CVE-2012-0809).


A local attacker could possibly gain the ability to run arbitrary commands with the privileges of other users or groups, including root.

3.  Resolution Information


There is no known workaround at this time.


All sudo users should upgrade to the latest version:

Code Listing 3.1: Resolution

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.8.3_p2"

4.  References


Page updated March 06, 2012

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.