Executive Summary

Titlesudo security update
NameDSA-4543First vendor Publication2019-10-14
VendorDebianLast vendor Modification2019-10-14
Severity (Vendor) N/ARevision1

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base ScoreN/AAttack RangeN/A
Cvss Impact ScoreN/AAttack ComplexityN/A
Cvss Expoit ScoreN/AAuthenticationN/A
Calculate full CVSS 2.0 Vectors scores


Joe Vennix discovered that sudo, a program designed to provide limited super user privileges to specific users, when configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, allows to run commands as root by specifying the user ID - -1 or 4294967295. This could allow a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access.

Details can be found in the upstream advisory at https://www.sudo.ws/alerts/minus_1_uid.html .

For the oldstable distribution (stretch), this problem has been fixed in version 1.8.19p1-2.1+deb9u1.

For the stable distribution (buster), this problem has been fixed in version 1.8.27-1+deb10u1.

We recommend that you upgrade your sudo packages.

For the detailed security status of sudo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sudo

Original Source

Url : http://www.debian.org/security/2019/dsa-4543

Alert History

If you want to see full details history, please login or register.
2019-10-14 21:19:06
  • First insertion