Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 23 Feb 2010 11:52:06 +0100
From: Jan Lieskovsky <jlieskov@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
CC: "Steven M. Christey" <coley@...us.mitre.org>,
        "Todd C. Miller" <Todd.Miller@...rtesan.com>
Subject: CVE assignment notification -- CVE-2010-0426 -- sudo improper pseudocommands
 file path check

Hi vendors,

   a privilege escalation flaw was found in the way
   sudo used to check file paths for pseudocommands.
   If local, unprivileged user was authorized by sudoers
   file to edit one or more files, it could lead to
   execution of arbitrary code, with the privileges
   of privileged system user (root).

BTS records:
   [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=570737
   [2] https://bugzilla.redhat.com/show_bug.cgi?id=567337

Patches from Todd C. Miller:
   [3] https://bugzilla.redhat.com/attachment.cgi?id=395605&action=diff
       (against sudo v1.7.x)
   [4] https://bugzilla.redhat.com/attachment.cgi?id=395606&action=diff
       (against sudo v1.6.x)

   which should overcome the deficiency.

Credit: neonsignal

CVE: CVE identifier of CVE-2010-0426 has been already assigned to this issue.

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.