A bug in the code that removes the escape characters will read beyond the last character of a string if it ends with an unescaped backslash character. Under normal circumstances, this bug would be harmless since sudo has escaped all the backslashes in the command's arguments. However, due to a different bug, this time in the command line parsing code, it is possible to run sudoedit with either the -s or -i options, setting a flag that indicates shell mode is enabled. Because a command is not actually being run, sudo does not escape special characters. Finally, the code that decides whether to remove the escape characters did not check whether a command is actually being run, just that the shell flag is set. This inconsistency is what makes the bug exploitable.
To test whether your version of sudo is vulnerable, the following command can be used:
sudoedit -s /A vulnerable version of sudo will either prompt for a password or display an error similar to:
sudoedit: /: not a regular fileA patched version of sudo will simply display a usage statement, for example:
usage: sudoedit [-AknS] [-a type] [-C num] [-c class] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...
If the sudoers plugin has been patched but the sudo front-end has not, the following error will be displayed:
sudoedit: invalid mode flags from sudo front end: 0x20002Patching either the sudo front-end or the sudoers plugin is sufficient to prevent exploitation, but applying the complete patch is the safest approach.
For more information, see The Qualys advisory.