oss-sec mailing list archives

Re: CVE assignment notification -- CVE-2010-0427 -- sudo fails to reset group permissions if runas_default set

From: Jamie Strandboge <jamie () canonical com>
Date: Wed, 24 Feb 2010 09:27:15 -0600

On Tue, 2010-02-23 at 17:17 +0100, Jan Lieskovsky wrote:

Thanks for your investigation.

   b, v1.7.x based versions of sudo are not affected by this
      flaw due the differences in the way sudoers file is parsed.


This is in conflict with Todd's statement in his writeup:
"Sudo versions affected:
1.6.9 through 1.7.2p3 inclusive.
...
Fix:
The bug is fixed in sudo 1.7.2p4 and 1.6.9p21"


Upstream appears to have patched 1.7.2. Can you explain why it is not
affected?

-- 
Jamie Strandboge             | http://www.canonical.com

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

CVE assignment notification -- CVE-2010-0427 -- sudo fails to reset group permissions if runas_default set Jan Lieskovsky (Feb 23)
- Re: CVE assignment notification -- CVE-2010-0427 -- sudo fails to reset group permissions if runas_default set Jamie Strandboge (Feb 24)
  - Re: CVE assignment notification -- CVE-2010-0427 -- sudo fails to reset group permissions if runas_default set Jan Lieskovsky (Feb 24)
- Re: CVE assignment notification -- CVE-2010-0427 -- sudo fails to reset group permissions if runas_default set Jamie Strandboge (Feb 25)