Описание
Sudo before 1.9.13p2 has a double free in the per-command chroot feature.
A double-free vulnerability was found in Sudo in the per-command chroot feature. This flaw exists due to a boundary error when matching a sudoer rule that contains a per-command chroot directive (CHROOT=dir). By sending a specially-crafted request, a local privileged attacker can elevate privileges and execute arbitrary code on the system.
Отчет
The CHROOT support was only added in Sudo v1.9.3 and Sudo v1.9.8 included a fix for a memory leak in the set_cmnd_path() function, which can result in the "user_cmnd" variable being freed twice, but only when processing a sudoers rule that contains a "CHROOT" setting. This does not affect the "chroot" Defaults setting. Only a per-rule "CHROOT" setting will trigger the bug. Hence, it only affects Sudo v1.9.8 through to 1.9.13p1. Red Hat Enterprise Linux - 6, 7, 8, 9 are shipped with lower versions of Sudo that doesn't contains the vulnerable code. Thus, they are not affected.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | sudo | Not affected | ||
| Red Hat Enterprise Linux 7 | sudo | Not affected | ||
| Red Hat Enterprise Linux 8 | sudo | Not affected | ||
| Red Hat Enterprise Linux 9 | sudo | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
6.4 Medium
CVSS3
Связанные уязвимости
Sudo before 1.9.13p2 has a double free in the per-command chroot feature.
Sudo before 1.9.13p2 has a double free in the per-command chroot feature.
Sudo before 1.9.13p2 has a double free in the per-command chroot featu ...
Sudo before 1.9.13p2 has a double free in the per-command chroot feature.
EPSS
6.4 Medium
CVSS3