SB2012030604 - Gentoo update for sudo

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2012030604

SB2012030604 - Gentoo update for sudo

Published: March 6, 2012 Updated: September 25, 2016

Security Bulletin ID SB2012030604
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2011-0010)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

check.c in sudo 1.7.x before 1.7.4p5, when a Runas group is configured, does not require a password for command execution that involves a gid change but no uid change, which allows local users to bypass an intended authentication requirement via the -g option to a sudo command.


2) Format string error (CVE-ID: CVE-2012-0809)

The vulnerability allows a local non-authenticated attacker to execute arbitrary code.

Format string vulnerability in the sudo_debug function in Sudo 1.8.0 through 1.8.3p1 allows local users to execute arbitrary code via format string sequences in the program name for sudo.


Remediation

Install update from vendor's website.

References