USN-722-1: sudo vulnerability
Posted on: 02/17/2009 10:40 PM

A new sudo vulnerability update is available for Ubuntu Linux. Here the announcement:

Ubuntu Security Notice USN-722-1 February 17, 2009
sudo vulnerability

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
sudo 1.6.9p10-1ubuntu3.4

Ubuntu 8.10:
sudo 1.6.9p17-1ubuntu2.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Harald Koenig discovered that sudo did not correctly handle certain
privilege changes when handling groups. If a local attacker belonged
to a group included in a "RunAs" list in the /etc/sudoers file, that
user could gain root privileges. This was not an issue for the default
sudoers file shipped with Ubuntu.

Updated packages for Ubuntu 8.04 LTS:

Source archives:
Size/MD5: 28195 a3ef076ed66f2a1d1ab0ebd5cafefaa4
Size/MD5: 739 91a65bd5beb7e2f7206d081455238fdb
Size/MD5: 579302 16db2a1213159a1fac8239eab58108f5

amd64 architecture (Athlon64, Opteron, EM64T Xeon):
Size/MD5: 188062 246612b4d29a8fd216cd1f5619b6f92f
Size/MD5: 199606 b5b948d0f3f12791e97838ea1b952ce2

i386 architecture (x86 compatible Intel/AMD):
Size/MD5: 176230 bc3547ffcc1a8060cf96f0d096a44c3c
Size/MD5: 187056 ce23d03b7e8f10f714a9c559ce741458

lpia architecture (Low Power Intel Architecture):
Size/MD5: 177396 57ef14f30094341da593dd3683f3f7e8
Size/MD5: 188098 d4c576aac4c27e7ab3646c5ac5a323e3

powerpc architecture (Apple Macintosh G3/G4/G5):
Size/MD5: 188226 a4739b543098b729cfb63ce20fc37dae
Size/MD5: 202064 226b1789a16fedf35241f16e74e2f252

sparc architecture (Sun SPARC/UltraSPARC):
Size/MD5: 182204 22004aca9eddcd46a4bda1d066b97ac1
Size/MD5: 193236 96f59c47bbc14586b40c440995467ea4

Updated packages for Ubuntu 8.10:

Source archives:
Size/MD5: 25366 af7e507328494298721aad11d13488da
Size/MD5: 1135 e5192f02cdc0284d832460ac7ae4b955
Size/MD5: 593534 60daf18f28e2c1eb7641c4408e244110

amd64 architecture (Athlon64, Opteron, EM64T Xeon):
Size/MD5: 191138 ad2dae17ccbc9673d8e53546afee3d14
Size/MD5: 202074 ab01d71c8e86e83903dc72fbebba4c90

i386 architecture (x86 compatible Intel/AMD):
Size/MD5: 179122 ee80fb039bc6d493050a876593bdf8e0
Size/MD5: 188614 1158e7471fe07070c9900ebcb827af98

lpia architecture (Low Power Intel Architecture):
Size/MD5: 180306 f0ec9a79d4728047c6d32f3126ae06af
Size/MD5: 189392 830c281c450cceed63fdb46093a8e082

powerpc architecture (Apple Macintosh G3/G4/G5):
Size/MD5: 188548 0de77be3253ffe27353ca481c638696c
Size/MD5: 200986 04c80b6cf9764550b81d19ada01df988

sparc architecture (Sun SPARC/UltraSPARC):
Size/MD5: 183994 7ed518be234fa37482f3c4e86c49ae3f
Size/MD5: 193662 f9616eade202d044a2a62c8ed2b043d8

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Kees Cook lt;kees@outflux.netgt;


Printed from Linux Compatible (