Upstream information

CVE-2010-2956 at MITRE

Description

Sudo 1.7.0 through 1.7.4p3, when a Runas group is configured, does not properly handle use of the -u option in conjunction with the -g option, which allows local users to gain privileges via a command line containing a "-u root" sequence.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 6.2
Vector AV:L/AC:H/Au:N/C:C/I:C/A:C
Access Vector Local
Access Complexity High
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete

Note from the SUSE Security Team

This only affects sudo versions starting from 1.7.2, so only openSUSE 11.2 and 11.3 are affected and will receive fixes. No SUSE Linux Enterprise product is affected by this problem.

SUSE Bugzilla entries: 635843 [RESOLVED / FIXED], 637218 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
openSUSE 11.2
  • sudo-debuginfo >= 1.7.2-2.3.1
  • sudo-debugsource >= 1.7.2-2.3.1
openSUSE 11.2
  • sudo >= 1.7.2-2.3.1
openSUSE 11.3
  • sudo-debuginfo >= 1.7.2p7-2.1.1
  • sudo-debugsource >= 1.7.2p7-2.1.1
openSUSE 11.3
  • sudo >= 1.7.2p7-2.1.1