A flaw was found in sudo before version 1.9.5. A potential race condition in sudoedit could be used to test for the existence of directories not normally accessible to the user in certain circumstances.
Created sudo tracking bugs for this issue:
Affects: fedora-all [bug 1915055]
This flaw has been rated as having a security impact of Low. The symbolic link protection is enabled by default in Red Hat Enterprise Linux 7 and 8, preventing this issue from being exploited.
From upstream 1.9.5 changelog: "[..] When creating a new file, sudoedit checks to make sure the parent directory of the new file exists before running the editor. However, a race condition exists if the invoking user can replace (or create) the parent directory. If a symbolic link is created in place of the parent directory, sudoedit will run the editor as long as the target of the link exists. If the target of the link does not exist, an error message will be displayed. The race condition can be used to test for the existence of an arbitrary directory. However, it cannot be used to write to an arbitrary location."
Enabling the symbolic link protection (/proc/sys/fs/protected_symlinks set to 1) is sufficient to mitigate this flaw.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2021:1723 https://access.redhat.com/errata/RHSA-2021:1723
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):