Package name
sudo
Date
2010-04-28
Advisory ID
MDVSA-2010:078-1
Affected versions
2009.0 x86_64 , 2009.0 i586

Problem description

A vulnerability has been found and corrected in sudo:

The command matching functionality in sudo 1.6.8 through 1.7.2p5 does
not properly handle when a file in the current working directory has
the same name as a pseudo-command in the sudoers file and the PATH
contains an entry for ., which allows local users to execute arbitrary
commands via a Trojan horse executable, as demonstrated using sudoedit,
a different vulnerability than CVE-2010-0426 (CVE-2010-1163).

Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.

The updated packages have been patched to correct this issue.

Update:

Packages for 2009.0 are provided due to the Extended Maintenance
Program.

Updated packages

2009.0 x86_64

 8edb8fe51c5e20485dfb05e77fed1810  2009.0/x86_64/sudo-1.6.9p17-1.4mdv2009.0.x86_64.rpm 
 bc3a2e562beff984298dec1a5de1e88b  2009.0/SRPMS/sudo-1.6.9p17-1.4mdv2009.0.src.rpm

2009.0 i586

 7e7362e28da1dadf1e9e49688c2388fa  2009.0/i586/sudo-1.6.9p17-1.4mdv2009.0.i586.rpm 
 bc3a2e562beff984298dec1a5de1e88b  2009.0/SRPMS/sudo-1.6.9p17-1.4mdv2009.0.src.rpm

References