FreeBSD : sudo -- local race condition vulnerability (3bf157fa-e1c6-11d9-b875-0001020eed82)
Low Nessus Plugin ID 18906
SynopsisThe remote FreeBSD host is missing a security-related update.
DescriptionTodd C. Miller reports :
A race condition in Sudo's command pathname handling prior to Sudo version 1.6.8p9 that could allow a user with Sudo privileges to run arbitrary commands.
Exploitation of the bug requires that the user be allowed to run one or more commands via Sudo and be able to create symbolic links in the filesystem. Furthermore, a sudoers entry giving another user access to the ALL pseudo-command must follow the user's sudoers entry for the race to exist.
SolutionUpdate the affected package.