Published: 17 November 2015
sudoedit in Sudo before 1.8.15 allows local users to gain privileges via a symlink attack on a file whose full path is defined using multiple wildcards in /etc/sudoers, as demonstrated by "/home/*/*/file.txt."
Launchpad, Ubuntu, Debian
|Ubuntu 20.04 LTS (Focal Fossa)||
|Ubuntu 18.04 LTS (Bionic Beaver)||
|Ubuntu 16.04 ESM (Xenial Xerus)||
|Ubuntu 14.04 ESM (Trusty Tahr)||
Backporting the fix for this issue is risky, may introduce regressions, and will change behaviour for existing users, possibly preventing them from using their existing configuration. For this reason, we will not be fixing this issue in stable releases.