Skip to navigation

Security Advisory Moderate: sudo security update

Advisory: RHSA-2010:0361-1
Type: Security Advisory
Severity: Moderate
Issued on: 2010-04-20
Last updated on: 2010-04-20
Affected Products: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2010-1163

Details

An updated sudo package that fixes one security issue is now available for
Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

The sudo (superuser do) utility allows system administrators to give
certain users the ability to run commands as root.

The RHBA-2010:0212 sudo update released as part of Red Hat Enterprise Linux
5.5 added the ability to change the value of the ignore_dot option in the
"/etc/sudoers" configuration file. This ability introduced a regression in
the upstream fix for CVE-2010-0426. In configurations where the ignore_dot
option was set to off (the default is on for the Red Hat Enterprise Linux 5
sudo package), a local user authorized to use the sudoedit pseudo-command
could possibly run arbitrary commands with the privileges of the users
sudoedit was authorized to run as. (CVE-2010-1163)

Red Hat would like to thank Todd C. Miller, the upstream sudo maintainer,
for responsibly reporting this issue. Upstream acknowledges Valerio
Costamagna as the original reporter.

Users of sudo should upgrade to this updated package, which contains a
backported patch to correct this issue.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux (v. 5 server)

SRPMS:
sudo-1.7.2p1-6.el5_5.src.rpm
File outdated by:  RHSA-2014:0266
    MD5: 65fac6b7743bd53de3db5ce9bfeb2b14
SHA-256: 6086d7c6f084a2d2792859df3adac5325bedb93b20c54442a1fb2a760bc604a0
 
IA-32:
sudo-1.7.2p1-6.el5_5.i386.rpm
File outdated by:  RHSA-2014:0266
    MD5: 3fdb5cf57e16a94441117d612bef85d3
SHA-256: 25f786dc922235f42e70713c079779ee9ad9fb2badadac0c09505ab7cb898824
 
IA-64:
sudo-1.7.2p1-6.el5_5.ia64.rpm
File outdated by:  RHSA-2014:0266
    MD5: 856f97bc64528f4b83f1e92148b699e0
SHA-256: a81cf89a8cc96f183e7a1d51482fa4fd0cfcc7e4fb9015ab677ada0a4fe60a0c
 
PPC:
sudo-1.7.2p1-6.el5_5.ppc.rpm
File outdated by:  RHSA-2014:0266
    MD5: 3b6c760bba11cea56bb5e63201336f16
SHA-256: dae1afc42640e364111e3cf44ad3fe0cc00403cebb44c1bfb9789e253ef0f561
 
s390x:
sudo-1.7.2p1-6.el5_5.s390x.rpm
File outdated by:  RHSA-2014:0266
    MD5: 792337e579828ab2ea6238f69a38579d
SHA-256: 546ff7174dc10dede3cc1b8d0f6b2929aa3eed4e211a1db0a606a962047318e4
 
x86_64:
sudo-1.7.2p1-6.el5_5.x86_64.rpm
File outdated by:  RHSA-2014:0266
    MD5: 530989029b770c8f0eb29c4896043817
SHA-256: 9aedc8fa31a1644f34e17d7570ef3bb7f6b782cf3e7c81ec0eaf9da24ab20135
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
sudo-1.7.2p1-6.el5_5.src.rpm
File outdated by:  RHSA-2014:0266
    MD5: 65fac6b7743bd53de3db5ce9bfeb2b14
SHA-256: 6086d7c6f084a2d2792859df3adac5325bedb93b20c54442a1fb2a760bc604a0
 
IA-32:
sudo-1.7.2p1-6.el5_5.i386.rpm
File outdated by:  RHSA-2014:0266
    MD5: 3fdb5cf57e16a94441117d612bef85d3
SHA-256: 25f786dc922235f42e70713c079779ee9ad9fb2badadac0c09505ab7cb898824
 
x86_64:
sudo-1.7.2p1-6.el5_5.x86_64.rpm
File outdated by:  RHSA-2014:0266
    MD5: 530989029b770c8f0eb29c4896043817
SHA-256: 9aedc8fa31a1644f34e17d7570ef3bb7f6b782cf3e7c81ec0eaf9da24ab20135
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

580441 - CVE-2010-1163 sudo: incomplete fix for the sudoedit privilege escalation issue CVE-2010-0426


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/