[Secure-testing-team] Bug#804149: CVE-2015-5602: Unauthorized privilege escalation in sudoedit
Laurent Bigonville
bigon at debian.org
Thu Nov 5 13:11:46 UTC 2015
Package: sudo
Version: 1.7.4p4-2.squeeze.4
Severity: critical
Tags: upstream security
Justification: root security hole
Hi,
Apparently a security has been disclosed (CVE-2015-5602) allowing users
to open files with sudoedit that is not supposed to using a symlinks,
see: https://www.exploit-db.com/exploits/37710/
Upstream has released a new fixed version by no following the symlinks
by default.
But according to this comment[0], this is not fixing the issue
completely.
Cheers,
Laurent Bigonville
[0]
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1512781/comments/1
More information about the Secure-testing-team
mailing list