OpenPKG Security Advisory
OpenPKG-SA-2006.002
Publisher Name: OpenPKG GmbH Publisher Home: http://openpkg.com/ Advisory Id (public): OpenPKG-SA-2006.002 Advisory Type: OpenPKG Security Advisory (SA) Advisory Directory: http://openpkg.com/go/OpenPKG-SA Advisory Document: http://openpkg.com/go/OpenPKG-SA-2006.002 Advisory Published: 2008-10-06 23:00 UTC Issue Id (internal): OpenPKG-SI-20060218.02 Issue First Created: 2006-02-18 Issue Last Modified: 2006-12-07 Issue Revision: 07
Subject Name: sudo Subject Summary: Flexible Switch User Command Subject Home: http://www.sudo.ws/ Subject Versions: * <= 1.6.8p11 Vulnerability Id: none Vulnerability Scope: global (not OpenPKG specific) Attack Feasibility: run-time Attack Vector: Attack Impact: privilege escalation Description: According to a vendor bug report [0], an incomplete blacklist vulnerability exists in the Sudo [1] utility which can lead to a privilege escalation. The vulnerability exists in Sudo 1.6.8 and earlier and allows local users to gain privileges via the "SHELLOPTS" and "PS4" environment variables before executing a shell script on behalf of another user. References: [0] http://www.sudo.ws/bugs/show_bug.cgi?id=182 [1] http://www.sudo.ws/
Primary Package Name: sudo Primary Package Home: http://openpkg.org/go/package/sudo Affected Distribution: Affected Branch: Affected Package: OpenPKG Community 2.3-SOLID sudo-1.6.8p7-2.3.1 OpenPKG Community 2.4-SOLID sudo-1.6.8p8-2.4.1 OpenPKG Community 2.5-SOLID sudo-1.6.8p9-2.5.1 OpenPKG Community CURRENT sudo-1.6.8p11-20051107 Corrected Distribution: Corrected Branch: Corrected Package: OpenPKG Community 2.3-SOLID sudo-1.6.8p7-2.3.2 OpenPKG Community 2.4-SOLID sudo-1.6.8p8-2.4.2 OpenPKG Community 2.5-SOLID sudo-1.6.8p9-2.5.2 OpenPKG Community CURRENT sudo-1.6.8p12-20051109
