CVE-2011-0010
CVE-2011-0010
check.c in sudo 1.7.x before 1.7.4p5, when a Runas group is configured, does not require a password for command execution that involves a gid change but no uid change, which allows local users to bypass an intended authentication requirement via the -g option to a sudo command.
Affected products
n/a · n/aWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609641http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053263.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-January/053341.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.htmlhttp://openwall.com/lists/oss-security/2011/01/11/3http://openwall.com/lists/oss-security/2011/01/12/1http://openwall.com/lists/oss-security/2011/01/12/3https://bugzilla.redhat.com/show_bug.cgi?id=668879http://secunia.com/advisories/42886http://secunia.com/advisories/42949http://secunia.com/advisories/42968http://secunia.com/advisories/43068