Advisories ยป MGASA-2015-0443

Updated sudo packages fix security vulnerability

Publication date: 10 Nov 2015
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-5602

Description

An unauthorized privilege escalation was found in sudoedit in sudo before
1.8.15 when a user is granted with root access to modify a particular file
that could be located in a subset of directories. It seems that sudoedit
does not check the full path if a wildcard is used twice
(e.g. /home/*/*/file.txt), allowing a malicious user to replace the
file.txt real file with a symbolic link to a different location
(e.g. /etc/shadow), which results in unauthorized access (CVE-2015-5602).

The sudo package has been updated to version 1.8.15, which fixes this
issue, and also includes many other bug fixes and changes.  See the
upstream change log for details.
                

References

SRPMS

5/core