MDVSA-2013:026

Nom du paquet

sudo

Date

2013-03-18

Advisory ID

MDVSA-2013:026

Affected versions

MES5 i586 , MES5 x86_64

Problem description

Multiple vulnerabilities has been found and corrected in sudo:

sudo 1.6.0 through 1.7.10p6 and sudo 1.8.0 through 1.8.6p6 allows
local users or physically-proximate attackers to bypass intended time
restrictions and retain privileges without re-authenticating by setting
the system clock and sudo user timestamp to the epoch (CVE-2013-1775).

Sudo before 1.8.6p7 allows a malicious user to run commands via
sudo without authenticating, so long as there exists a terminal the
user has access to where a sudo command was successfully run by that
same user within the password timeout period (usually five minutes)
(CVE-2013-1776).

The updated packages have been patched to correct these issues.

Updated packages

MES5 i586

 0a63960282d3502946d4f2a1f09992a9  mes5/i586/sudo-1.7.4p6-0.3mdvmes5.2.i586.rpm 
 30d4c634b9383cac4ab2dafdc68891ad  mes5/SRPMS/sudo-1.7.4p6-0.3mdvmes5.2.src.rpm

MES5 x86_64

 dd2b2eb33fd27b522216e664a5e95744  mes5/x86_64/sudo-1.7.4p6-0.3mdvmes5.2.x86_64.rpm 
 30d4c634b9383cac4ab2dafdc68891ad  mes5/SRPMS/sudo-1.7.4p6-0.3mdvmes5.2.src.rpm

References

• http://www.sudo.ws/sudo/alerts/epoch_ticket.html
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1776
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1775
• http://www.sudo.ws/sudo/alerts/tty_tickets.html