oss-sec mailing list archives
CVE assignment notification -- CVE-2010-0426 -- sudo improper pseudocommands file path check
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Tue, 23 Feb 2010 11:52:06 +0100
Hi vendors, a privilege escalation flaw was found in the way sudo used to check file paths for pseudocommands. If local, unprivileged user was authorized by sudoers file to edit one or more files, it could lead to execution of arbitrary code, with the privileges of privileged system user (root). BTS records: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=570737 [2] https://bugzilla.redhat.com/show_bug.cgi?id=567337 Patches from Todd C. Miller: [3] https://bugzilla.redhat.com/attachment.cgi?id=395605&action=diff (against sudo v1.7.x) [4] https://bugzilla.redhat.com/attachment.cgi?id=395606&action=diff (against sudo v1.6.x) which should overcome the deficiency. Credit: neonsignal CVE: CVE identifier of CVE-2010-0426 has been already assigned to this issue. Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE assignment notification -- CVE-2010-0426 -- sudo improper pseudocommands file path check Jan Lieskovsky (Feb 23)
- Re: CVE assignment notification -- CVE-2010-0426 -- sudo improper pseudocommands file path check Todd C. Miller (Feb 23)
- Re: Re: CVE assignment notification -- CVE-2010-0426 -- sudo improper pseudocommands file path check Jamie Strandboge (Feb 25)
- Re: CVE assignment notification -- CVE-2010-0426 -- sudo improper pseudocommands file path check Todd C. Miller (Feb 23)