Bug 784443 (CVE-2012-0809) - CVE-2012-0809 sudo: format string flaw in sudo_debug()
Summary: CVE-2012-0809 sudo: format string flaw in sudo_debug()
Alias: CVE-2012-0809
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 785771
Blocks: 784446
TreeView+ depends on / blocked
Reported: 2012-01-24 23:35 UTC by Vincent Danen
Modified: 2023-05-11 18:30 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-02-02 13:36:44 UTC

Attachments (Terms of Use)
proposed upstream patch (745 bytes, patch)
2012-01-24 23:37 UTC, Vincent Danen
no flags Details | Diff

Description Vincent Danen 2012-01-24 23:35:32 UTC
A flaw was reported in the debugging code of sudo versions 1.8.0 through 1.8.3p1 which can be used to crash sudo or, possibly, allow an unauthorized user to elevate their privileges via the debugging support added in sudo 1.8.0.  Due to a flaw in the sudo_debug() function, the program name (which can be controlled by the caller of sudo), is passed to fprintf() and can be exploited using standard format string exploitation techniques, allowing for the possible elevation to root privileges.

The calling user does _not_ need to be listed in the sudoers file in order to exploit this.


Red Hat would like to thank Todd C. Miller for reporting this issue.  Upstream acknowledges joernchen of Phenoelit as the original reporter.


Not vulnerable. This issue did not affect the versions of sudo as shipped with Red Hat Enterprise Linux 4, 5, or 6 as they did not include the vulnerable debugging support.

Comment 2 Vincent Danen 2012-01-24 23:37:45 UTC
Created attachment 557339 [details]
proposed upstream patch

Comment 5 Vincent Danen 2012-01-30 15:26:15 UTC
External References:


Comment 6 Vincent Danen 2012-01-30 15:28:11 UTC
Created sudo tracking bugs for this issue

Affects: fedora-16 [bug 785771]

Comment 7 Tomas Hoger 2012-01-30 15:54:48 UTC
(In reply to comment #5)
> http://www.sudo.ws/sudo/alerts/sudo_debug.html

Upstream advisory notes:

  On systems that support FORTIFY_SOURCE (most Linux and NetBSD), adding
  -D_FORTIFY_SOURCE=2 to the OSDEFS line in src/Makfile and rebuilding sudo
  will prevent the bug from being exploited.

which is what is the default on Fedora, making this issue a crash-only.

Comment 8 Fedora Update System 2012-01-31 22:00:08 UTC
sudo-1.8.3p1-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Nicolas Corrarello 2012-02-02 12:42:54 UTC
Fixed with the update mentioned in #8

[sgtpepper@conan ~]$ ./%s -D9
%s: settings: debug_level=9
%s: settings: progname=%s
%s: settings: implied_shell=true
%s: settings: network_addrs=************/ ************/ fe80::218:deff:fe7b:c1f3/ffff:ffff:ffff:ffff:: fe80::e845:4eff:fe71:58ca/ffff:ffff:ffff:ffff::
%s: sudo_mode 655361
%s: policy plugin returns -2
usage: %s [-D level] -h | -K | -k | -V
usage: %s -v [-AknS] [-D level] [-g groupname|#gid] [-p prompt] [-u user
usage: %s -l[l] [-AknS] [-D level] [-g groupname|#gid] [-p prompt] [-U user
          name] [-u user name|#uid] [-g groupname|#gid] [command]
usage: %s [-AbEHknPS] [-r role] [-t type] [-C fd] [-D level] [-g
          groupname|#gid] [-p prompt] [-u user name|#uid] [-g groupname|#gid]
          [VAR=value] [-i|-s] [<command>]
usage: %s -e [-AknS] [-r role] [-t type] [-C fd] [-D level] [-g groupname|#gid]
          [-p prompt] [-u user name|#uid] file ...
[sgtpepper@conan ~]$ rpm -q sudo
[sgtpepper@conan ~]$

Comment 10 Petr Matousek 2012-03-20 08:54:54 UTC

Presented CVE-2012-0809 exploit uses FORTIFY_SOURCE bypass method that is already fixed in Red Hat Enterprise Linux and Fedora. For further information please see bug 794766 (CVE-2012-0864).

Note You need to log in before you can comment on or make changes to this bug.