FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2010-2956

This CVE name corresponds to:

Entered Topic
2010-09-07 sudo -- Flaw in Runas group matching

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2010-2956 at cve.mitre.org

Details

Type Candidate
Name CVE-2010-2956
Phase Assigned(20100804)

Description

Sudo 1.7.0 through 1.7.4p3, when a Runas group is configured, does not properly handle use of the -u option in conjunction with the -g option, which allows local users to gain privileges via a command line containing a "-u root" sequence.

References

Source Reference
BUGTRAQ 20110105 VMSA-2011-0001 VMware ESX third party updates for Service Console packages glibc, sudo, and openldap
BUGTRAQ 20101027 rPSA-2010-0075-1 sudo
CONFIRM http://www.sudo.ws/sudo/alerts/runas_group.html
CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=628628
CONFIRM http://www.vmware.com/security/advisories/VMSA-2011-0001.html
CONFIRM http://wiki.rpath.com/Advisories:rPSA-2010-0075
FEDORA FEDORA-2010-14355
GENTOO GLSA-201009-03
MANDRIVA MDVSA-2010:175
REDHAT RHSA-2010:0675
SUSE SUSE-SR:2010:017
UBUNTU USN-983-1
BID 43019
SECTRACK 1024392
SECUNIA 40508
SECUNIA 41316
SECUNIA 42787
VUPEN ADV-2010-2312
VUPEN ADV-2010-2318
VUPEN ADV-2010-2320
VUPEN ADV-2010-2358
VUPEN ADV-2011-0025

Copyright © 2005 The MITRE Corporation.

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.