%sudo ALL = (ALL : ALL) ALLa user in the sudo group will be permitted to run any command with any combination of user or group. When sudo determines whether or not to prompt for a password, it first checks whether the invoking user is root, the invoking user is a member of an "exempt" group, or that the target user is the same as the invoking user. If any of those three conditions are true, no password is required. When the "runas group" support was added in sudo 1.7.0, this logic was not updated to take the target group into account. This resulted in sudo incorrectly skipping the password check when the target user is the same as the invoking user, but the invoking user is not a member of the target group.
For example, the following entry is affected because it contains both a Runas user and a Runas group:
%sudo ALL = (ALL : ALL) ALLWhereas this one only contains a Runas user and is not affected:
%wheel ALL = (ALL) ALL
Note that this flaw does not allow a user to run unauthorized commands, it only affects user authentication.