A buffer overflow exists in sudo versions 1.5.7 to 1.6.5p2 (inclusive). The problem affects expansion of the “%h” and “%u” escape sequences in the prompt. Due to a bug it is possible to craft a prompt such that more bytes are written than have been allocated. Exploiting heap corruption bugs like this requires fairly in-depth knowledge of a system’s malloc internals. The bug has been exploited on Linux and can allow an attacker to gain root privileges. No known exploits exist for other operating systems but this should not be considered a Linux-only problem.

A security issue has been found by Sebastian Krahmer of the SuSE Security Team in Sudo versions 1.6.0 - 1.6.3p7. When the Postfix sendmail replacement is installed on a machine an attacker may be able to gain root privileges by way of Sudo.

1.6.0 - 1.6.3p7 (inclusive)

Starting with version 1.6.0 Sudo sends mail to the administrator as root to prevent the invoking user from killing the mail process and thus avoiding logging (in previous versions of Sudo the mail was sent as the invoking user).

A single-byte heap corruption bug exists in sudo versions 1.6.3p5 and below. Exploitation of the bug requires in-depth knowledge of the system malloc internals. The bug has been exploited on Linux and can allow an attacker to gain root privileges. No known exploits exist for other operating systems but this should not be considered a Linux-only problem.

1.3.0 - 1.6.3p5 (inclusive)