Advisories ยป MGASA-2015-0443

Updated sudo packages fix security vulnerability

Publication date: 10 Nov 2015
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-5602


An unauthorized privilege escalation was found in sudoedit in sudo before
1.8.15 when a user is granted with root access to modify a particular file
that could be located in a subset of directories. It seems that sudoedit
does not check the full path if a wildcard is used twice
(e.g. /home/*/*/file.txt), allowing a malicious user to replace the
file.txt real file with a symbolic link to a different location
(e.g. /etc/shadow), which results in unauthorized access (CVE-2015-5602).

The sudo package has been updated to version 1.8.15, which fixes this
issue, and also includes many other bug fixes and changes.  See the
upstream change log for details.