A flaw exists in sudo’s per-command chroot feature that could result in the variable that stores the command being freed more than once.
Sudo versions 1.9.8 through 1.9.13p1 inclusive are affected. Versions of sudo prior to 1.9.8 are not affected.
Starting with Sudo 1.9.3, it is possible to specify an alternate root directory that sudo will change to before executing the command. For example:
someuser ALL = CHROOT=/var/www /bin/sh
will result in
/bin/sh being run inside the chroot jail
when the specific user user runs
Sudo 1.9.8 included a fix for a memory leak in the
function which can result in the
user_cmnd variable being freed
twice, but only when processing a sudoers rule that contains a
CHROOT setting. This does not affect the chroot Defaults
setting. Only a per-rule
CHROOT setting will trigger the bug.
The bug can only be triggered by a user that has been granted sudo
privileges using a sudoers rule that contain a
CHROOT setting and
the rule must match the current host. If no users have sudoers
CHROOT there is no impact. This feature is not
Remove rules from the sudoers file than contain a
if using an affected version of sudo.
The bug is fixed in sudo 1.9.13p2.
This bug was found internally.