Ubuntu 8.04 LTS / 8.10 : sudo vulnerability (USN-722-1)

Ubuntu Security Notice (C) 2009-2013 Canonical, Inc. / NASL script (C) 2009-2013 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing one or more security-related patches.

Description :

Harald Koenig discovered that sudo did not correctly handle certain
privilege changes when handling groups. If a local attacker belonged
to a group included in a 'RunAs' list in the /etc/sudoers file, that
user could gain root privileges. This was not an issue for the default
sudoers file shipped with Ubuntu.

Solution :

Update the affected sudo and / or sudo-ldap packages.

Risk factor :

Medium / CVSS Base Score : 6.9
(CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 5.7
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 38070 ()

Bugtraq ID: 33517

CVE ID: CVE-2009-0034
CVE-2011-0008