A flaw exists in sudo’s -e option (aka sudoedit) in sudo versions 1.6.8 through 1.7.2p5 that may give a user with permission to run sudoedit the ability to run arbitrary commands. This bug is related to, but distinct from, CVE-2010-0426.

1.6.8 through 1.7.2p5 inclusive.

This vulnerability has been assigned CVE-2010-1163 in the Common Vulnerabilities and Exposures database.

A flaw exists in sudo’s -e option (aka sudoedit) in sudo versions 1.6.9 through 1.7.2p3 that may give a user with permission to run sudoedit the ability to run arbitrary commands.

1.6.9 through 1.7.2p3 inclusive.

This vulnerability has been assigned CVE-2010-0426 in the Common Vulnerabilities and Exposures database.

A flaw exists in sudo versions 1.7.0 to 1.7.2p1 that caused the negation operator to have no effect when used in a Cmnd_Alias.

1.7.0 through 1.7.2p1 inclusive.

Sudo uses the Cmnd_Alias syntax for named groups of commands the sudoers file. The Cmnd_Alias is expanded when command matching is performed as sudo checks whether a user is allowed to run a particular command. There is a flaw in the code that matches lists of commands where the negation operator was applied twice. This can result in a command being allowed that was intended to be explicitly disallowed. For example, give the following sudoers file fragment:

A bug was introduced in Sudo’s group matching code in version 1.6.9 when support for matching based on the supplemental group vector was added. This bug may allow certain users listed in the sudoers file to run a command as a different user than their access rule specifies.

Sudo versions 1.6.9 up to and including 1.6.9p19. Sudo version 1.7.0 is not affected.

Sudo can optionally be built with support for Kerberos 5 authentication. A flaw in exists in sudo’s Kerberos 5 authentication that, depending on the local machine’s Kerberos 5 configuration, could allow a malicious user to avoid authenticating with sudo. The user would still be limited by the sudoers file as to what commands could be run (and as what user).

All versions prior to 1.6.9.

A flaw in exists in sudo’s environment sanitizing prior to sudo version 1.6.8p12 that could allow a malicious user with permission to run a perl script to execute arbitrary perl code.

All versions prior to 1.6.8p12.

This vulnerability has been assigned CVE-2004-1051 in the Common Vulnerabilities and Exposures database.

A flaw in exists in sudo’s environment sanitizing prior to sudo version 1.6.8p10 that could allow a malicious user with permission to run a shell script that utilized the bash shell to run arbitrary commands. The /bin/sh shell on most (if not all) Linux and Mac OS X systems is bash.

All versions prior to 1.6.8p10.

A race condition in Sudo’s command pathname handling prior to Sudo version 1.6.8p9 that could allow a user with Sudo privileges to run arbitrary commands.

Sudo versions 1.3.1 up to and including 1.6.8p8.

This vulnerability has been assigned CVE-2005-1993 in the Common Vulnerabilities and Exposures database.

A flaw in exists in sudo’s environment sanitizing prior to sudo version 1.6.8p2 that could allow a malicious user with permission to run a shell script that utilized the bash shell to run arbitrary commands. The /bin/sh shell on most (if not all) Linux systems is bash.

All versions prior to 1.6.8p2.

A flaw in exists in sudo’s -e option (aka sudoedit) in sudo version 1.6.8 that can give an attacker read permission to a file that would otherwise be unreadable.

1.6.8 only

While sudoedit runs the actual editor as the invoking user, the temporary file is then re-opened with root privileges. An attacker can run sudoedit, remove the editor temporary file, make a link to an unreadable file with the same name as the old temporary file and quit the editor. The file being edited via sudoedit will now contain a copy of the previously unreadable file.