[ASA-202002-2] sudo: privilege escalation
foxboron at archlinux.org
Thu Feb 6 14:44:56 UTC 2020
Arch Linux Security Advisory ASA-202002-2
Date : 2020-02-06
CVE-ID : CVE-2019-18634
Package : sudo
Type : privilege escalation
Remote : No
Link : https://security.archlinux.org/AVG-1093
The package sudo before version 1.8.31-1 is vulnerable to privilege
Upgrade to 1.8.31-1.
# pacman -Syu "sudo>=1.8.31-1"
The problem has been fixed upstream in version 1.8.31.
Ensure pwfeedback is disabled in /etc/sudoers with:
A flaw was found in the Sudo before version 1.8.31 application when the
’pwfeedback' option is set to true on the sudoers file. An
authenticated user can use this vulnerability to trigger a stack-based
buffer overflow under certain conditions even without Sudo privileges.
The buffer overflow may allow an attacker to expose or corrupt memory
information, crash the Sudo application, or possibly inject code to be
run as a root user.
An authenticated user is capable of escalating to root privileges.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the arch-security