FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2009-0034

This CVE name corresponds to:

Entered Topic
2009-02-06 sudo -- certain authorized users could run commands as any user

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2009-0034 at cve.mitre.org

Details

Type Candidate
Name CVE-2009-0034
Phase Assigned(20081215)

Description

parse.c in sudo 1.6.9p17 through 1.6.9p19 does not properly interpret a system group (aka %group) in the sudoers file during authorization decisions for a user who belongs to that group, which allows local users to leverage an applicable sudoers file and gain root privileges via a sudo command.

References

Source Reference
BUGTRAQ 20090129 rPSA-2009-0021-1 sudo
BUGTRAQ 20090711 VMSA-2009-0009 ESX Service Console updates for udev, sudo, and curl
MLIST [Security-announce] 20090710 VMSA-2009-0009 ESX Service Console updates for udev, sudo, and curl
CONFIRM http://wiki.rpath.com/Advisories:rPSA-2009-0021
CONFIRM http://www.gratisoft.us/bugzilla/show_bug.cgi?id=327
CONFIRM http://www.sudo.ws/cgi-bin/cvsweb/sudo/parse.c.diff?r1=1.160.2.21&r2=1.160.2.22&f=h
CONFIRM https://bugzilla.novell.com/show_bug.cgi?id=468923
CONFIRM https://issues.rpath.com/browse/RPL-2954
CONFIRM http://www.vmware.com/security/advisories/VMSA-2009-0009.html
MANDRIVA MDVSA-2009:033
REDHAT RHSA-2009:0267
BID 33517
OSVDB 51736
OVAL oval:org.mitre.oval:def:10856
OVAL oval:org.mitre.oval:def:6462
SECTRACK 1021688
SECUNIA 33753
SECUNIA 33885
SECUNIA 33840
SECUNIA 35766
VUPEN ADV-2009-1865

Copyright © 2005 The MITRE Corporation.

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.