Advisories » MGASA-2015-0443

Updated sudo packages fix security vulnerability

Publication date: 10 Nov 2015
Modification date: 10 Nov 2015
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-5602

Description

An unauthorized privilege escalation was found in sudoedit in sudo before
1.8.15 when a user is granted with root access to modify a particular file
that could be located in a subset of directories. It seems that sudoedit
does not check the full path if a wildcard is used twice
(e.g. /home/*/*/file.txt), allowing a malicious user to replace the
file.txt real file with a symbolic link to a different location
(e.g. /etc/shadow), which results in unauthorized access (CVE-2015-5602).

The sudo package has been updated to version 1.8.15, which fixes this
issue, and also includes many other bug fixes and changes.  See the
upstream change log for details.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=17117
• http://www.sudo.ws/stable.html#1.8.15
• https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171024.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5602

SRPMS

5/core

• sudo-1.8.15-1.mga5