Synopsis: Important: sudo security update
Issue date: 2010-02-26
CVE Names: CVE-2010-0426 CVE-2010-0427
CVE-2010-0426 sudo: sudoedit option can possibly allow for arbitrary
code execution
CVE-2010-0427 sudo: Fails to reset group permissions if runas_default set
A privilege escalation flaw was found in the way sudo handled the
sudoedit pseudo-command. If a local user were authorized by the sudoers
file to use this pseudo-command, they could possibly leverage this flaw
to execute arbitrary code with the privileges of the root user.
(CVE-2010-0426)
The sudo utility did not properly initialize supplementary groups when
the "runas_default" option (in the sudoers file) was used. If a local
user were authorized by the sudoers file to perform their sudo commands
under the account specified with "runas_default", they would receive the
root user's supplementary groups instead of those of the intended target
user, giving them unintended privileges. (CVE-2010-0427)
SL 5.x
SRPMS:
sudo-1.6.9p17-6.el5_4.src.rpm
i386:
sudo-1.6.9p17-6.el5_4.i386.rpm
x86_64:
sudo-1.6.9p17-6.el5_4.x86_64.rpm
-Connie Sieh
-Troy Dawson
|