It was discovered that the original upstream fix for the sudo's sudoedit privilege escalation flaw known as CVE-2010-0426 (see bug #567337) did not fully resolve the issue. In configurations where sudo's ignore_dot option was set to off (default is on), the user allowed to sudoedit some file with the privileges of some user could run arbitrary command with the privileges of that user. Acknowledgements: Red Hat would like to thank Todd C. Miller, the upstream sudo maintainer, for responsibly reporting this issue. Upstream acknowledges Valerio Costamagna as the original reporter.
Created attachment 405247 [details] Upstream patch
As with the original flaw, sudo versions in Red Hat Enterprise Linux 3 and 4 were not affected by this flaw, as they do not support sudoedit special command. This issue did *not* affect sudo 1.6.9p17 packages released in RHSA-2010:0122 fixing CVE-2010-0426. In that sudo version, ignore_dot option value can not be changed from the sudoers configuration file and the compile-time default value is always used ('on' in RHEL sudo packages, configure run with --with-ignore-dot), as is documented in the sudoers manpage: ignore_dot [ ... ] This flag is on by default. Currently, while it is possible to set ignore_dot in sudoers, its value is not used. This option should be considered read-only (it will be fixed in a future version of sudo). However, RHBA-2010:0212, released as part of Red Hat Enterprise Linux 5.5, rebased sudo packages to upstream version 1.7.2p1, which allows changing ignore_dot option value using the sudoers configuration file. Hence, only users that already upgraded to RHEL-5.5 sudo packages and changed ignore_dot default value in the sudoers file can be affected by this flaw.
(In reply to comment #1) > Created an attachment (id=405247) [details] > Upstream patch Committed upstream as: http://sudo.ws/repos/sudo/rev/07de8e40cb4c
Public now via: http://sudo.ws/sudo/alerts/sudoedit_escalate2.html Fixed upstream in versions 1.7.2p6 and 1.6.9p22.
sudo-1.7.2p6-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/sudo-1.7.2p6-1.fc11
sudo-1.7.2p6-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/sudo-1.7.2p6-1.fc12
sudo-1.7.2p6-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/sudo-1.7.2p6-1.fc13
This has been assigned CVE-2010-1163.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0361 https://rhn.redhat.com/errata/RHSA-2010-0361.html
sudo-1.7.2p6-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
sudo-1.7.2p6-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
sudo-1.7.2p6-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.