Overview
Sudo's -e option (sudoedit) improperly handles temporary files, allowing an attacker to read files that would otherwise be inaccessible.
Description
Sudo is a utility that allows specific users to run certain commands as root. Beginning with version 1.6.8, sudo provides safe editing functionality via sudoedit. Sudoedit allows specific users to edit certain files as root, as specified by the sudoers configuration file. When sudoedit launches the specified editor, it reopens a temporary copy of the file to be edited with root privileges. If this temporary file is changed to be a symlink to a file with restricted access, the editor will display the contents of the file with restricted access. |
Impact
An authenticated user who has the permissions to run sudoedit may be able to read protected files. |
Solution
Apply a patch from your vendor |
|
Vendor Information
FreeBSD Affected
Notified: September 28, 2004 Updated: September 29, 2004
Status
Affected
Vendor Statement
Sudo was corrected in the FreeBSD Ports Collection on September 19. The
issue is documented at
http://vuxml.freebsd.org/a268ef4a-0b35-11d9-8a8a-000c41e2cdad.html
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Apple Computer Inc. Not Affected
Notified: September 28, 2004 Updated: February 17, 2005
Status
Not Affected
Vendor Statement
Mac OS X and Mac OS X Server do not contain this issue as the vulnerable versions of sudo were not distributed.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Cray Inc. Not Affected
Notified: September 28, 2004 Updated: September 29, 2004
Status
Not Affected
Vendor Statement
Cray Inc. supports sudo through its Cray Open Software (COS)
package. The sudo version in COS 3.5 and later is not
vulnerable.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Previous versions of COS are also not vulnerable.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Debian Not Affected
Notified: September 28, 2004 Updated: September 28, 2004
Status
Not Affected
Vendor Statement
No release of Debian contains sudo 1.6.8, nor has it entered our unstable
development tree, so we are not affected by this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MandrakeSoft Not Affected
Notified: September 28, 2004 Updated: September 29, 2004
Status
Not Affected
Vendor Statement
Mandrakesoft does not ship this version of sudo in any of it's products
so is not vulnerable to this problem.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Openwall GNU/*/Linux Not Affected
Notified: September 28, 2004 Updated: September 29, 2004
Status
Not Affected
Vendor Statement
Openwall GNU/*/Linux is not vulnerable. We do not package sudo.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
TurboLinux Not Affected
Notified: September 28, 2004 Updated: September 29, 2004
Status
Not Affected
Vendor Statement
Not vulnerable.
Turbolinux prodcuts do not contain this issue.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
BSDI Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Conectiva Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
EMC Corporation Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Engarde Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
F5 Networks Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Fujitsu Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Gentoo Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hewlett-Packard Company Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hitachi Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
IBM Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
IBM eServer Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
IBM-zSeries Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Immunix Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Ingrian Networks Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Juniper Networks Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MontaVista Software Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NEC Corporation Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NETBSD Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Nokia Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Novell Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
OpenBSD Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Redhat Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SCO Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SGI Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sequent Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sony Corporation Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SuSE Inc. Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sun Microsystems Inc. Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Unisys Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Wind River Systems Inc. Unknown
Notified: September 28, 2004 Updated: September 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://www.sudo.ws/sudo/alerts/sudoedit.html
- http://secunia.com/advisories/12596/
- http://xforce.iss.net/xforce/xfdb/17424
- http://www.securityfocus.com/archive/1/375434/2004-09-13/2004-09-19/0
- http://www.securityfocus.com/bid/11204/info/
- http://www.securitytracker.com/alerts/2004/Sep/1011342.html
- http://www.osvdb.org/10023
Acknowledgements
This vulnerability was reported by Reznic Valery.
This document was written by Will Dormann and is based on the information in the Sudo Alert .
Other Information
| CVE IDs: | None |
| Severity Metric: | 5.25 |
| Date Public: | 2004-09-18 |
| Date First Published: | 2004-10-19 |
| Date Last Updated: | 2004-10-27 21:29 UTC |
| Document Revision: | 12 |