[lugm.org] sudo vulnerability
selven
pcthegreat at gmail.com
Tue Jan 31 06:15:35 UTC 2012
Cheers
On Tue, Jan 31, 2012 at 1:07 AM, Loganaden Velvindron
<gnukid1 at yahoo.co.uk> wrote:
> Hi,
>
>
> There's a format string vulnerability in sudo version 1.8.x.
>
> In case you can't upgrade to the latest sudo which patches this
> vulnerability among other things (1.8.3p2)
>
> CVE is not posting details for the moment:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0809
>
> It can work even without having the user added to the sudoers list. If
> the user can execute sudo, that's enough to start playing around, and gain
> root.
>
> I wrote a patch based on the fix provided by millert.
> http://devio.us/~loganaden/sudo.c.patch. It works on older 1.8.x releases.
>
> Instructions:
> cp sudo.c sudo.c.orig
> patch < sudo.c.patch
>
> I'd advise to update to the latest version which has other fixes as well.
>
> __________________________________________________________
> Linux User Group of Mauritius (LUGM) Discuss mailing list
> Website: http://lugm.org
> Mailing list archive: http://lugm.org/pipermail/discuss_lugm.org/
> Forum: http://lugm.org/forum/
> IRC: #linux.mu on Freenode
>
--
Pirabarlen Cheenaramen | $3|v3n
L'escalier
mobile: +230 49 24 918
email: pcthegeat at gmail.com || god at hackers.mu
contact: http://godifiy.me
/*memory is like prison*/ (user==selven)?free(user):user=malloc(sizeof(brain));
P Save electricity & disk space. Cat this mail to >/dev/null 2>&1 after use.
More information about the Discuss
mailing list