Bug 668843 - (CVE-2011-0008) CVE-2011-0008 sudo in Fedora vulnerable to CVE-2009-0034 again due to improper patch rediff
CVE-2011-0008 sudo in Fedora vulnerable to CVE-2009-0034 again due to imprope...
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20110114,reported=20110111,sou...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-01-11 13:56 EST by Vincent Danen
Modified: 2015-07-31 08:31 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-02-21 10:34:14 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
corrected getgrouplist patch (1.52 KB, patch)
2011-01-11 23:49 EST, Vincent Danen
no flags Details | Diff

  None (edit)
Description Vincent Danen 2011-01-11 13:56:01 EST
Due to upstream changes in how sudo 1.7.3 handles group membership checks, the patch used to correct bug #235915 (sudo can't always correctly determine group memberships) was incorrectly rediffed, making sudo in Fedora once again vulnerable to CVE-2009-0034 (incorrect handling of groups in Runas_User).

Statement:

Not vulnerable. This issue did not affect the versions of sudo as shipped with Red Hat Enterprise Linux 4, 5, or 6.
Comment 4 Vincent Danen 2011-01-11 23:49:34 EST
Created attachment 472949 [details]
corrected getgrouplist patch

Note You need to log in before you can comment on or make changes to this bug.