Mike McGrath reported a segfault in sudo to the Red Hat Security Response Team. Upon investigating this, it turned out to be a NULL dereference crash, but we still don't like those in sudo. Here are the details (I'm using the F10 srpm as my source here) If you run sudo with the argument -u '#111' where the UID doesn't exist, it will segfault. The command line for the below gdb session was: (gdb) run -u '#111' If I I break in runas_setgroups() (gdb) frame #0 runas_setgroups () at set_perms.c:431 431 if (initgroups(pw->pw_name, pw->pw_gid) < 0) (gdb) print *pw $4 = {pw_name = 0x0, pw_passwd = 0x0, pw_uid = 111, pw_gid = 0, pw_gecos = 0x0, pw_dir = 0x0, pw_shell = 0x0} This is the result of code in sudo.c:1266 that creates a fake zeroed passwd structure. The initgroups function does specify that the user argument cannot be NULL.
Fixed in the current version of sudo in F-10 (and also in F-11 and rawhide).