Debian DSA-2062-1 : sudo - missing input sanitization

medium Nessus Plugin ID 47104

Language:

Synopsis

The remote Debian host is missing a security-related update.

Description

Anders Kaseorg and Evan Broder discovered a vulnerability in sudo, a program designed to allow a sysadmin to give limited root privileges to users, that allows a user with sudo permissions on certain programs to use those programs with an untrusted value of PATH. This could possibly lead to certain intended restrictions being bypassed, such as the secure_path setting.

Solution

Upgrade the sudo package.

For the stable distribution (lenny), this problem has been fixed in version 1.6.9p17-3

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=585394

https://www.debian.org/security/2010/dsa-2062

Plugin Details

Severity: Medium

ID: 47104

File Name: debian_DSA-2062.nasl

Version: 1.8

Type: local

Agent: unix

Published: 6/21/2010

Updated: 1/4/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.2

Vector: CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:5.0, p-cpe:/a:debian:debian_linux:sudo

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 6/17/2010

Reference Information

CVE: CVE-2010-1646

DSA: 2062