Your submission was sent successfully! Close

CVE-2015-5602

Published: 17 November 2015

sudoedit in Sudo before 1.8.15 allows local users to gain privileges via a symlink attack on a file whose full path is defined using multiple wildcards in /etc/sudoers, as demonstrated by "/home/*/*/file.txt."

Notes

AuthorNote
mdeslaur
Backporting the fix for this issue is risky, may introduce
regressions, and will change behaviour for existing users,
possibly preventing them from using their existing
configuration.

For this reason, we will not be fixing this issue in stable
releases.
Priority

Medium

Status

Package Release Status
sudo
Launchpad, Ubuntu, Debian
artful Not vulnerable
(1.8.16-0ubuntu1)
bionic Not vulnerable
(1.8.16-0ubuntu1)
cosmic Not vulnerable
(1.8.16-0ubuntu1)
disco Not vulnerable
(1.8.16-0ubuntu1)
eoan Not vulnerable
(1.8.16-0ubuntu1)
focal Not vulnerable
(1.8.16-0ubuntu1)
precise Ignored

trusty Ignored

upstream
Released (1.8.16)
vivid Ignored
(reached end-of-life)
wily Ignored
(reached end-of-life)
xenial Not vulnerable
(1.8.16-0ubuntu1)
yakkety Not vulnerable
(1.8.16-0ubuntu1)
zesty Not vulnerable
(1.8.16-0ubuntu1)
Patches:
upstream: https://www.sudo.ws/repos/sudo/rev/33272418bb10
upstream: https://www.sudo.ws/repos/sudo/rev/c2e36a80a279
upstream: https://www.sudo.ws/repos/sudo/rev/b41c5b289f35
upstream: https://www.sudo.ws/repos/sudo/rev/574e4a840879
upstream: https://www.sudo.ws/repos/sudo/rev/3f559a389bf9
upstream: https://www.sudo.ws/repos/sudo/rev/fe50d0c1f1b9