Sudo Security Alerts

  • January 30, 2012
    A format string vulnerability has been found when the -D (debugging) flag is used. Affected sudo versions are 1.8.0 through 1.8.3p1. The flaw may allow a user to run commands as root without being prompted for a password.

  • January 12, 2011
    A potential security issue exists in the handling of sudo's -g command line option when -u is not specified. Affected sudo versions are 1.7.0 through 1.7.4p4. The flaw may allow a user to run commands as a group without being prompted for a password.

  • September 7, 2010
    A potential security issue exists in the handling of sudo's -g command line option when -u is also specified. Affected sudo versions are 1.7.0 through 1.7.4p3. The flaw may allow an attacker to run commands as a user that is not authorized by the sudoers file.

  • June 2, 2010
    A potential security issue exists in sudo's secure path functionality in sudo versions 1.3.1 through 1.6.9p22 and versions 1.7.0 through 1.7.2p6. The flaw may allow an attacker to bypass the secure path PATH restrictions and set PATH to a user-controlled value.

  • April 9, 2010
    An additional security issue exists in sudo's -e option (aka sudoedit) in sudo versions 1.6.8 through 1.7.2p5 that may give a user with permission to run sudoedit the ability to run arbitrary commands.

  • February 22, 2010
    A security issue exists in sudo's -e option (aka sudoedit) in sudo versions 1.6.9 through 1.7.2p3 that may give a user with permission to run sudoedit the ability to run arbitrary commands.

  • December 6, 2009
    A security issue with sudoers rules that include Cmnd_Alias entries that use the negation operator has been fixed.

  • January 29, 2009
    A security issue with sudoers rules that include a group in the RunAs portion of the rule has been discovered.

  • July 17, 2007
    A security issue has been discovered with the Kerberos 5 authentication that allows a malicious user to avoid authenticating with sudo.

  • November 8, 2005
    A has been discovered that allows a malicious user with permission to run a perl shell script to execute arbitrary perl code.

  • October 27, 2005
    A security issue has been discovered that allows a malicious user with permission to run a bash shell script to execute arbitrary commands.

  • June 20, 2005
    A race condition has been discovered that could allow a malicious user with sudo privileges to execute arbitrary commands.

  • November 11, 2004
    A security issue has been discovered that allows a malicious user with permission to run a bash shell script to execute arbitrary commands.

  • September 15, 2004
    A bug in sudoedit has been discovered that allows a malicious user to read files that would otherwise be unreadable.

  • April 25, 2002
    A buffer overflow bug has been discovered in sudo's prompt expansion code.

  • Jan 14, 2002
    A that could allow an attacker to to gain root privileges via sudo if the Postfix mailer is installed has been discovered.

  • Feb 22, 2001
    A bug has been discovered in sudo's logging functions.