A flaw exists in sudo versions 1.7.0 to 1.7.2p1 that caused the negation operator to have no effect when used in a Cmnd_Alias.
Sudo versions affected: 1.7.0 through 1.7.2p1 inclusive.
Details: Sudo uses the Cmnd_Alias syntax for named groups of commands the sudoers file. The Cmnd_Alias is expanded when command matching is performed as sudo checks whether a user is allowed to run a particular command. There is a flaw in the code that matches lists of commands where the negation operator was applied twice.
... ➦Bug in supplemental group matching
A bug was introduced in Sudo’s group matching code in version 1.6.9 when support for matching based on the supplemental group vector was added. This bug may allow certain users listed in the sudoers file to run a command as a different user than their access rule specifies.
Sudo versions affected: Sudo versions 1.6.9 up to and including 1.6.9p19. Sudo version 1.7.0 is not affected.
CVE ID: This vulnerability has been assigned CVE-2009-0034 in the Common Vulnerabilities and Exposures database.
... ➦Flaw in Kerberos 5
Sudo can optionally be built with support for Kerberos 5 authentication. A flaw in exists in sudo’s Kerberos 5 authentication that, depending on the local machine’s Kerberos 5 configuration, could allow a malicious user to avoid authenticating with sudo. The user would still be limited by the sudoers file as to what commands could be run (and as what user).
Sudo versions affected: All versions prior to 1.6.9.
CVE ID: This vulnerability has been assigned CVE-2007-3149 in the Common Vulnerabilities and Exposures database.
... ➦Perl scripts run via Sudo can be subverted
A flaw in exists in sudo’s environment sanitizing prior to sudo version 1.6.8p12 that could allow a malicious user with permission to run a perl script to execute arbitrary perl code.
Sudo versions affected: All versions prior to 1.6.8p12.
CVE ID: This vulnerability has been assigned CVE-2004-1051 in the Common Vulnerabilities and Exposures database.
Details: The PERL5LIB and PERLLIB environment variables can be used to provide a list of directories in which to look for perl library files before the system directories are searched.
... ➦Bash scripts run via Sudo can be subverted
A flaw in exists in sudo’s environment sanitizing prior to sudo version 1.6.8p10 that could allow a malicious user with permission to run a shell script that utilized the bash shell to run arbitrary commands. The /bin/sh shell on most (if not all) Linux and Mac OS X systems is bash.
Sudo versions affected: All versions prior to 1.6.8p10.
CVE ID: This vulnerability has been assigned CVE-2004-1051 in the Common Vulnerabilities and Exposures database.
... ➦Race condition in Sudo's pathname validation
A race condition in Sudo’s command pathname handling prior to Sudo version 1.6.8p9 that could allow a user with Sudo privileges to run arbitrary commands.
Sudo versions affected: Sudo versions 1.3.1 up to and including 1.6.8p8.
CVE ID: This vulnerability has been assigned CVE-2005-1993 in the Common Vulnerabilities and Exposures database.
Details: When a user runs a command via Sudo, the inode and device numbers of the command are compared to those of commands with the same basename found in the sudoers file (see the Background section for more information).
... ➦Bash scripts run via Sudo can be subverted
A flaw in exists in sudo’s environment sanitizing prior to sudo version 1.6.8p2 that could allow a malicious user with permission to run a shell script that utilized the bash shell to run arbitrary commands. The /bin/sh shell on most (if not all) Linux systems is bash.
Sudo versions affected: All versions prior to 1.6.8p2.
CVE ID: This vulnerability has been assigned CVE-2004-1051 in the Common Vulnerabilities and Exposures database.
... ➦Sudoedit can expose file contents
A flaw in exists in sudo’s -e option (aka sudoedit) in sudo version 1.6.8 that can give an attacker read permission to a file that would otherwise be unreadable.
Sudo versions affected: 1.6.8 only
Details: While sudoedit runs the actual editor as the invoking user, the temporary file is then re-opened with root privileges. An attacker can run sudoedit, remove the editor temporary file, make a link to an unreadable file with the same name as the old temporary file and quit the editor.
... ➦Sudo Prompt Buffer Overflow
A buffer overflow exists in sudo versions 1.5.7 to 1.6.5p2 (inclusive). The problem affects expansion of the “%h” and “%u” escape sequences in the prompt. Due to a bug it is possible to craft a prompt such that more bytes are written than have been allocated. Exploiting heap corruption bugs like this requires fairly in-depth knowledge of a system’s malloc internals. The bug has been exploited on Linux and can allow an attacker to gain root privileges.
... ➦Security Issue with Sudo and Postfix
A security issue has been found by Sebastian Krahmer of the SuSE Security Team in Sudo versions 1.6.0 - 1.6.3p7. When the Postfix sendmail replacement is installed on a machine an attacker may be able to gain root privileges by way of Sudo.
Sudo versions affected: 1.6.0 - 1.6.3p7 (inclusive)
Details: Starting with version 1.6.0 Sudo sends mail to the administrator as root to prevent the invoking user from killing the mail process and thus avoiding logging (in previous versions of Sudo the mail was sent as the invoking user).
... ➦