[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 382-1] sudo security update

Package        : sudo
Version        : 1.7.4p4-2.squeeze.6
CVE ID         : CVE-2015-5602
Debian Bug     : 804149

When sudo is configured to allow a user to edit files under a
directory that they can already write to without using sudo, they can
actually edit (read and write) arbitrary files.  Daniel Svartman
reported that a configuration like this might be introduced
unintentionally if the editable files are specified using wildcards,
for example:

    operator ALL=(root) sudoedit /home/*/*/test.txt

The default behaviour of sudo has been changed so that it does not
allow editing of a file in a directory that the user can write to, or
that is reached by following a symlink in a directory that the user
can write to.  These restrictions can be disabled, but this is
strongly discouraged.

For the oldoldstable distribution (squeeze), this has been fixed in
version 1.7.4p4-2.squeeze.6.

For the oldstable distribution (wheezy) and the stable distribution
(jessie), this will be fixed soon.

Ben Hutchings - Debian developer, member of Linux kernel and LTS teams

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: