CVE-2010-0426

Publication date 23 February 2010

Last updated 24 July 2024

Ubuntu priority

sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4, when a pseudo-command is enabled, permits a match between the name of the pseudo-command and the name of an executable file in an arbitrary directory, which allows local users to gain privileges via a crafted executable file, as demonstrated by a file named sudoedit in a user's home directory.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
sudo	9.10 karmic	Fixed 1.7.0-1ubuntu2.1
	9.04 jaunty	Fixed 1.6.9p17-1ubuntu3.1
	8.10 intrepid	Fixed 1.6.9p17-1ubuntu2.2
	8.04 LTS hardy	Fixed 1.6.9p10-1ubuntu3.6
	6.06 LTS dapper	Fixed 1.6.8p12-1ubuntu6.1

Notes

jdstrand

"Exploitation of the bug requires that the sudoers file be configured to allow the attacker to run sudoedit. If no users have been granted access to sudoedit there is no impact." Dapper has 1.6.8. If --secure-path is used and compiled to use execvp(), then sudo should not be vulnerable. Dapper is compiled with --secure-path and happens to use execvp()

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
sudo	Upstream: http://sudo.ws/repos/sudo/rev/88f3181692fe Upstream: http://sudo.ws/repos/sudo/rev/f86e1b56d074

References

Related Ubuntu Security Notices (USN)