Several vulnerabilities have been discovered in sudo, a program designed to allow a sysadmin to give limited root privileges to users. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-0426 It was discovered that sudo when a pseudo-command is enabled, permits a match between the name of the pseudo-command and the name of an executable file in an arbitrary directory, which allows local users to gain privileges via a crafted executable file. CVE-2010-0427 It was discovered that sudo when the runas_default option is used, does not properly set group memberships, which allows local users to gain privileges via a sudo command. For the stable distribution (lenny), these problems have been fixed in version 1.6.9p17-2+lenny1 For the unstable distribution (sid), these problems have been fixed in version 1.7.2p1-1.2, and will migrate to the testing distribution (squeeze) shortly. We recommend that you upgrade your sudo package.
Several vulnerabilities have been discovered in sudo, a program designed to allow a sysadmin to give limited root privileges to users. The Common Vulnerabilities and Exposures project identifies the following problems:
It was discovered that sudo when a pseudo-command is enabled, permits a match between the name of the pseudo-command and the name of an executable file in an arbitrary directory, which allows local users to gain privileges via a crafted executable file.
It was discovered that sudo when the runas_default option is used, does not properly set group memberships, which allows local users to gain privileges via a sudo command.
For the stable distribution (lenny), these problems have been fixed in version 1.6.9p17-2+lenny1
For the unstable distribution (sid), these problems have been fixed in version 1.7.2p1-1.2, and will migrate to the testing distribution (squeeze) shortly.
We recommend that you upgrade your sudo package.
MD5 checksums of the listed files are available in the original advisory.