Red Hat Product Errata RHSA-2010:0675 - Security Advisory

Issued:: 2010-09-07
Updated:: 2010-09-07

RHSA-2010:0675 - Security Advisory

Overview
Updated Packages

Synopsis

Important: sudo security update

Type/Severity

Security Advisory: Important

Topic

An updated sudo package that fixes one security issue is now available for
Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

Description

The sudo (superuser do) utility allows system administrators to give
certain users the ability to run commands as root.

A flaw was found in the way sudo handled Runas specifications containing
both a user and a group list. If a local user were authorized by the
sudoers file to perform their sudo commands with the privileges of a
specified user and group, they could use this flaw to run those commands
with the privileges of either an arbitrary user or group on the system.
(CVE-2010-2956)

Red Hat would like to thank Markus Wuethrich of Swiss Post - PostFinance
for reporting this issue.

Users of sudo should upgrade to this updated package, which contains a
backported patch to correct this issue.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

Red Hat Enterprise Linux Server 5 x86_64
Red Hat Enterprise Linux Server 5 ia64
Red Hat Enterprise Linux Server 5 i386
Red Hat Enterprise Linux Workstation 5 x86_64
Red Hat Enterprise Linux Workstation 5 i386
Red Hat Enterprise Linux Desktop 5 x86_64
Red Hat Enterprise Linux Desktop 5 i386
Red Hat Enterprise Linux for IBM z Systems 5 s390x
Red Hat Enterprise Linux for Power, big endian 5 ppc
Red Hat Enterprise Linux Server from RHUI 5 x86_64
Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

BZ - 628628 - CVE-2010-2956 sudo: incorrect handling of RunAs specification with both user and group lists

CVEs

CVE-2010-2956

References

http://www.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 5

SRPM
sudo-1.7.2p1-8.el5_5.src.rpm	SHA-256: 1f535f04b5f54350d8ba05d4ddb1920c38c80287c026e12e716be79789d03586
x86_64
sudo-1.7.2p1-8.el5_5.x86_64.rpm	SHA-256: 42d6a41f7e01a63906c49dd203237f84295ea0801812a5c1d909285dd7c55c5b
ia64
sudo-1.7.2p1-8.el5_5.ia64.rpm	SHA-256: 55acf31601016184c02a6de41bc2931228c8907e760081cc05b5dcf5b66526e1
i386
sudo-1.7.2p1-8.el5_5.i386.rpm	SHA-256: 707c9070c311e3c3d3ece156e8e472b698da7a73f5a3ac256d63c4da0182a728

Red Hat Enterprise Linux Workstation 5

SRPM
sudo-1.7.2p1-8.el5_5.src.rpm	SHA-256: 1f535f04b5f54350d8ba05d4ddb1920c38c80287c026e12e716be79789d03586
x86_64
sudo-1.7.2p1-8.el5_5.x86_64.rpm	SHA-256: 42d6a41f7e01a63906c49dd203237f84295ea0801812a5c1d909285dd7c55c5b
i386
sudo-1.7.2p1-8.el5_5.i386.rpm	SHA-256: 707c9070c311e3c3d3ece156e8e472b698da7a73f5a3ac256d63c4da0182a728

Red Hat Enterprise Linux Desktop 5

SRPM
sudo-1.7.2p1-8.el5_5.src.rpm	SHA-256: 1f535f04b5f54350d8ba05d4ddb1920c38c80287c026e12e716be79789d03586
x86_64
sudo-1.7.2p1-8.el5_5.x86_64.rpm	SHA-256: 42d6a41f7e01a63906c49dd203237f84295ea0801812a5c1d909285dd7c55c5b
i386
sudo-1.7.2p1-8.el5_5.i386.rpm	SHA-256: 707c9070c311e3c3d3ece156e8e472b698da7a73f5a3ac256d63c4da0182a728

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
sudo-1.7.2p1-8.el5_5.src.rpm	SHA-256: 1f535f04b5f54350d8ba05d4ddb1920c38c80287c026e12e716be79789d03586
s390x
sudo-1.7.2p1-8.el5_5.s390x.rpm	SHA-256: 010092b8706f3da3fb95195bf04eda942543fcd54c1a07d44837452c4ee1fd75

Red Hat Enterprise Linux for Power, big endian 5

SRPM
sudo-1.7.2p1-8.el5_5.src.rpm	SHA-256: 1f535f04b5f54350d8ba05d4ddb1920c38c80287c026e12e716be79789d03586
ppc
sudo-1.7.2p1-8.el5_5.ppc.rpm	SHA-256: 615611bc859383f67ba9dba0f9033b408f59d459c0dc04b030edee78306a003b

Red Hat Enterprise Linux Server from RHUI 5

SRPM
sudo-1.7.2p1-8.el5_5.src.rpm	SHA-256: 1f535f04b5f54350d8ba05d4ddb1920c38c80287c026e12e716be79789d03586
x86_64
sudo-1.7.2p1-8.el5_5.x86_64.rpm	SHA-256: 42d6a41f7e01a63906c49dd203237f84295ea0801812a5c1d909285dd7c55c5b
i386
sudo-1.7.2p1-8.el5_5.i386.rpm	SHA-256: 707c9070c311e3c3d3ece156e8e472b698da7a73f5a3ac256d63c4da0182a728

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories