| Description: | The sudo (superuser do) utility allows system administrators to givecertain users the ability to run commands as root.A flaw was found in the way sudo handled time stamp files. An attacker ableto run code as a local user and with the ability to control the systemclock could possibly gain additional privileges by running commands thatthe victim user was allowed to run via sudo, without knowing the victim'spassword. (CVE-2013-1775)It was found that sudo did not properly validate the controlling terminaldevice when the tty_tickets option was enabled in the /etc/sudoers file. Anattacker able to run code as a local user could possibly gain additionalprivileges by running commands that the victim user was allowed to run viasudo, without knowing the victim's password. (CVE-2013-1776, CVE-2013-2776)This update also fixes the following bugs:* Due to a bug in the cycle detection algorithm of the visudo utility,visudo incorrectly evaluated certain alias definitions in the /etc/sudoersfile as cycles. Consequently, a warning message about undefined aliasesappeared. This bug has been fixed, /etc/sudoers is now parsed correctly byvisudo and the warning message no longer appears. (BZ#849679)* Previously, the 'sudo -l' command did not parse the /etc/sudoers filecorrectly if it contained an Active Directory (AD) group. The file wasparsed only up to the first AD group information and then the parsingfailed with the following message: sudo: unable to cache group ADDOM\admingroup, already existsWith this update, the underlying code has been modified and 'sudo -l' nowparses /etc/sudoers containing AD groups correctly. (BZ#855836)* Previously, the sudo utility did not escape the backslash characterscontained in user names properly. Consequently, if a system used sudointegrated with LDAP or Active Directory (AD) as the primary authenticationmechanism, users were not able to authenticate on that system. With thisupdate, sudo has been modified to process LDAP and AD names correctly andthe authentication process now works as expected. (BZ#869287)* Prior to this update, the 'visudo -s (strict)' command incorrectly parsedcertain alias definitions. Consequently, an error message was issued. Thebug has been fixed, and parsing errors no longer occur when using 'visudo-s'. (BZ#905624)All sudo users are advised to upgrade to this updated package, whichcontains backported patches to correct these issues. |