Support / Sécurité / Annonces de sécurité / Mandriva Enterprise Server 5 / MDVSA-2010:049

Nom du paquet: sudo
Date: 2010-02-25
Advisory ID: MDVSA-2010:049
Affected versions: 2009.0 x86_64 , MES5 i586 , 2010.0 x86_64 , 2010.0 i586 , 2009.1 i586 , 2009.0 i586 , CS4.0 i586 , 2008.0 x86_64 , CS4.0 x86_64 , 2008.0 i586 , 2009.1 x86_64 , MES5 x86_64

Problem description

A vulnerabilitiy has been found and corrected in sudo:

sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4, when a
pseudo-command is enabled, permits a match between the name of the
pseudo-command and the name of an executable file in an arbitrary
directory, which allows local users to gain privileges via a crafted
executable file, as demonstrated by a file named sudoedit in a user's
home directory (CVE-2010-0426).

Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.

The updated packages have been patched to correct this issue.

Updated packages

2009.0 x86_64

 8d90cd76b9151081210862cf683b3bb0  2009.0/x86_64/sudo-1.6.9p17-1.2mdv2009.0.x86_64.rpm 
 125df251896634f18a03b24a549ec7b1  2009.0/SRPMS/sudo-1.6.9p17-1.2mdv2009.0.src.rpm

MES5 i586

 24b71283f185bd84f5f6c4888189c3f3  mes5/i586/sudo-1.6.9p17-1.2mdvmes5.i586.rpm 
 05b806110bddd2887c458935aad515d9  mes5/SRPMS/sudo-1.6.9p17-1.2mdv2009.0.src.rpm

2010.0 x86_64

 06bb48289c0e11f2ca342551fdc73101  2010.0/x86_64/sudo-1.7.2-0.p1.1.1mdv2010.0.x86_64.rpm 
 cd03efac7a3fec65d55bb1688b74b635  2010.0/SRPMS/sudo-1.7.2-0.p1.1.1mdv2010.0.src.rpm

2010.0 i586

 536ee0cde6953cf5b87b885578b03801  2010.0/i586/sudo-1.7.2-0.p1.1.1mdv2010.0.i586.rpm 
 cd03efac7a3fec65d55bb1688b74b635  2010.0/SRPMS/sudo-1.7.2-0.p1.1.1mdv2010.0.src.rpm

2009.1 i586

 f00f9688de440a386fabe8eeaa536bbe  2009.1/i586/sudo-1.7.0-1.3mdv2009.1.i586.rpm 
 c5ac4157a1c1d1bf020efbb3728f4354  2009.1/SRPMS/sudo-1.7.0-1.3mdv2009.1.src.rpm

2009.0 i586

 beb146a0efc54a16eecb33ca383fdff6  2009.0/i586/sudo-1.6.9p17-1.2mdv2009.0.i586.rpm 
 125df251896634f18a03b24a549ec7b1  2009.0/SRPMS/sudo-1.6.9p17-1.2mdv2009.0.src.rpm

CS4.0 i586

 2fa3155ea61289c28ad02ce038c8368f  corporate/4.0/i586/sudo-1.6.8p8-2.4.20060mlcs4.i586.rpm 
 ff49ebff95faee235fb12ff7d80a9cb6  corporate/4.0/SRPMS/sudo-1.6.8p8-2.4.20060mlcs4.src.rpm

2008.0 x86_64

 1daf86dac924b4fdc75136706df28bb2  2008.0/x86_64/sudo-1.6.9p5-1.2mdv2008.0.x86_64.rpm 
 e679553cfa349a9bd23f64db045ab504  2008.0/SRPMS/sudo-1.6.9p5-1.2mdv2008.0.src.rpm

CS4.0 x86_64

 34f8a1cf7de841c9db031825b0fde786  corporate/4.0/x86_64/sudo-1.6.8p8-2.4.20060mlcs4.x86_64.rpm 
 ff49ebff95faee235fb12ff7d80a9cb6  corporate/4.0/SRPMS/sudo-1.6.8p8-2.4.20060mlcs4.src.rpm

2008.0 i586

 74ddc3854a9e0a4732e63466045e1e1d  2008.0/i586/sudo-1.6.9p5-1.2mdv2008.0.i586.rpm 
 e679553cfa349a9bd23f64db045ab504  2008.0/SRPMS/sudo-1.6.9p5-1.2mdv2008.0.src.rpm

2009.1 x86_64

 d0db73e931d25293812bdb746fb85cb3  2009.1/x86_64/sudo-1.7.0-1.3mdv2009.1.x86_64.rpm 
 c5ac4157a1c1d1bf020efbb3728f4354  2009.1/SRPMS/sudo-1.7.0-1.3mdv2009.1.src.rpm

MES5 x86_64

 6a91ab3ff6003649be458c24961069be  mes5/x86_64/sudo-1.6.9p17-1.2mdvmes5.x86_64.rpm 
 05b806110bddd2887c458935aad515d9  mes5/SRPMS/sudo-1.6.9p17-1.2mdv2009.0.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0426