[sudo-announce] Security flaw in sudo versions 1.8.0 through 1.8.3p1
Todd C. Miller
Todd.Miller at courtesan.com
Mon Jan 30 10:37:24 EST 2012
A flaw exists in the debugging code in sudo versions 1.8.0 through
1.8.3p1 that can be used to crash sudo or potentially allow an
unauthorized user to elevate privileges.
Sudo versions affected:
1.8.0 through 1.8.3p1 inclusive. Older versions of sudo are not
This vulnerability has been assigned CVE 2012-0809 in the Common
Vulnerabilities and Exposures database.
Sudo 1.8.0 introduced simple debugging support that was primarily
intended for use when developing policy or I/O logging plugins.
The sudo_debug() function contains a flaw where the program name
is used as part of the format string passed to the fprintf() function.
The program name can be controlled by the caller, either via a
symbolic link or, on some systems, by setting argv when executing
sudo. For example:
$ ln -s /usr/bin/sudo ./%s
$ ./%s -D9
Using standard format string vulnerability exploitation techniques
it is possible to leverage this bug to achieve root privileges.
Successful exploitation of the bug will allow a user to run arbitrary
commands as root.
Exploitation of the bug does *not* require that the attacker be
listed in the sudoers file. As such, we strongly suggest that
affected sites upgrade from affected sudo versions as soon as
On systems that support FORTIFY_SOURCE (most Linux and NetBSD),
adding -D_FORTIFY_SOURCE=2 to the OSDEFS line in src/Makfile and
then rebuilding sudo will prevent the bug from being exploited.
The bug is fixed in sudo 1.8.3p2. Sudo version 1.8.3p1 may be
updated to version 1.8.3p2 via the file sudo-1.8.3p2.patch.gz. For
sudo versions 1.8.0-1.8.3, the patch to sudo.c in sudo-1.8.3p2.patch.gz
will also apply.
Thanks to joernchen of Phenoelit for finding and reporting the bug.
More information about the sudo-announce