MDVSA-2010:078-1
- Package name
- sudo
- Date
- 2010-04-28
- Advisory ID
- MDVSA-2010:078-1
- Affected versions
- 2009.0 x86_64 , 2009.0 i586
Problem description
A vulnerability has been found and corrected in sudo:
The command matching functionality in sudo 1.6.8 through 1.7.2p5 does
not properly handle when a file in the current working directory has
the same name as a pseudo-command in the sudoers file and the PATH
contains an entry for ., which allows local users to execute arbitrary
commands via a Trojan horse executable, as demonstrated using sudoedit,
a different vulnerability than CVE-2010-0426 (CVE-2010-1163).
Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.
The updated packages have been patched to correct this issue.
Update:
Packages for 2009.0 are provided due to the Extended Maintenance
Program.
Updated packages
2009.0 x86_64
8edb8fe51c5e20485dfb05e77fed1810 2009.0/x86_64/sudo-1.6.9p17-1.4mdv2009.0.x86_64.rpm bc3a2e562beff984298dec1a5de1e88b 2009.0/SRPMS/sudo-1.6.9p17-1.4mdv2009.0.src.rpm
2009.0 i586
7e7362e28da1dadf1e9e49688c2388fa 2009.0/i586/sudo-1.6.9p17-1.4mdv2009.0.i586.rpm bc3a2e562beff984298dec1a5de1e88b 2009.0/SRPMS/sudo-1.6.9p17-1.4mdv2009.0.src.rpm