A flaw exists in sudo versions 1.7.0 to 1.7.2p1 that caused the negation operator to have no effect when used in a Cmnd_Alias.

1.7.0 through 1.7.2p1 inclusive.

Sudo uses the Cmnd_Alias syntax for named groups of commands the sudoers file. The Cmnd_Alias is expanded when command matching is performed as sudo checks whether a user is allowed to run a particular command. There is a flaw in the code that matches lists of commands where the negation operator was applied twice. This can result in a command being allowed that was intended to be explicitly disallowed. For example, give the following sudoers file fragment:

A bug was introduced in Sudo’s group matching code in version 1.6.9 when support for matching based on the supplemental group vector was added. This bug may allow certain users listed in the sudoers file to run a command as a different user than their access rule specifies.

Sudo versions 1.6.9 up to and including 1.6.9p19. Sudo version 1.7.0 is not affected.

Sudo can optionally be built with support for Kerberos 5 authentication. A flaw in exists in sudo’s Kerberos 5 authentication that, depending on the local machine’s Kerberos 5 configuration, could allow a malicious user to avoid authenticating with sudo. The user would still be limited by the sudoers file as to what commands could be run (and as what user).

All versions prior to 1.6.9.

A flaw in exists in sudo’s environment sanitizing prior to sudo version 1.6.8p12 that could allow a malicious user with permission to run a perl script to execute arbitrary perl code.

All versions prior to 1.6.8p12.

This vulnerability has been assigned CVE-2004-1051 in the Common Vulnerabilities and Exposures database.

A flaw in exists in sudo’s environment sanitizing prior to sudo version 1.6.8p10 that could allow a malicious user with permission to run a shell script that utilized the bash shell to run arbitrary commands. The /bin/sh shell on most (if not all) Linux and Mac OS X systems is bash.

All versions prior to 1.6.8p10.

A race condition in Sudo’s command pathname handling prior to Sudo version 1.6.8p9 that could allow a user with Sudo privileges to run arbitrary commands.

Sudo versions 1.3.1 up to and including 1.6.8p8.

This vulnerability has been assigned CVE-2005-1993 in the Common Vulnerabilities and Exposures database.

A flaw in exists in sudo’s environment sanitizing prior to sudo version 1.6.8p2 that could allow a malicious user with permission to run a shell script that utilized the bash shell to run arbitrary commands. The /bin/sh shell on most (if not all) Linux systems is bash.

All versions prior to 1.6.8p2.

A flaw in exists in sudo’s -e option (aka sudoedit) in sudo version 1.6.8 that can give an attacker read permission to a file that would otherwise be unreadable.

1.6.8 only

While sudoedit runs the actual editor as the invoking user, the temporary file is then re-opened with root privileges. An attacker can run sudoedit, remove the editor temporary file, make a link to an unreadable file with the same name as the old temporary file and quit the editor. The file being edited via sudoedit will now contain a copy of the previously unreadable file.

A buffer overflow exists in sudo versions 1.5.7 to 1.6.5p2 (inclusive). The problem affects expansion of the “%h” and “%u” escape sequences in the prompt. Due to a bug it is possible to craft a prompt such that more bytes are written than have been allocated. Exploiting heap corruption bugs like this requires fairly in-depth knowledge of a system’s malloc internals. The bug has been exploited on Linux and can allow an attacker to gain root privileges. No known exploits exist for other operating systems but this should not be considered a Linux-only problem.

A security issue has been found by Sebastian Krahmer of the SuSE Security Team in Sudo versions 1.6.0 - 1.6.3p7. When the Postfix sendmail replacement is installed on a machine an attacker may be able to gain root privileges by way of Sudo.

1.6.0 - 1.6.3p7 (inclusive)

Starting with version 1.6.0 Sudo sends mail to the administrator as root to prevent the invoking user from killing the mail process and thus avoiding logging (in previous versions of Sudo the mail was sent as the invoking user).