A security flaw was found in the way sudo granted access for particular host, when multiple netmask values have been used in sudo's Host / Host_List configuration. Such configuration allowed unprivileged users, who were authorized by the sudoers file to run their sudo commands, to run these commands from any host regardless of the Host_List configuration (even from hosts, which were intended according to the Host_List netmask configuration not to allow execution of such commands according to the netmask).
This issue affects the versions of the sudo package, as shipped with Red Hat Enterprise Linux 5 and 6. -- This issue affects the versions of the sudo package, as shipped with Fedora release of 15 and 16.
Created attachment 583996 [details] Proposed sudo-v1.7.x patch from Todd C.Miller
Created attachment 583997 [details] Proposed sudo-v1.8.x patch from Todd C.Miller
The preliminary embargo date for this issue has been set to Wednesday, 2012-05-16.
Upstream advisory: [1] http://www.sudo.ws/sudo/alerts/netmask.html
Created sudo tracking bugs for this issue Affects: fedora-all [bug 822175]
sudo-1.8.3p1-7.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
sudo-1.8.3p1-3.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2012:1081 https://rhn.redhat.com/errata/RHSA-2012-1081.html