[lugm.org] sudo vulnerability
Loganaden Velvindron
gnukid1 at yahoo.co.uk
Mon Jan 30 21:07:38 UTC 2012
Hi,
There's a format string vulnerability in sudo version 1.8.x.
In case you can't upgrade to the latest sudo which patches this
vulnerability among other things (1.8.3p2)
CVE is not posting details for the moment:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0809
It can work even without having the user added to the sudoers list. If
the user can execute sudo, that's enough to start playing around, and gain root.
I wrote a patch based on the fix provided by millert.
http://devio.us/~loganaden/sudo.c.patch. It works on older 1.8.x releases.
Instructions:
cp sudo.c sudo.c.orig
patch < sudo.c.patch
I'd advise to update to the latest version which has other fixes as well.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://discuss.lugm.org/pipermail/discuss_discuss.lugm.org/attachments/20120130/391b446f/attachment.html>
More information about the Discuss
mailing list