Ubuntu.com/usn: Referenced CVEs:
CVE-2010-2956


Description:
===========================================================Ubuntu Security Notice USN-983-1 September 07, 2010sudo vulnerabilityCVE-2010-2956===========================================================A security issue affects the following Ubuntu releases:Ubuntu 9.10Ubuntu 10.04 LTSThis advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 9.10: sudo 1.7.0-1ubuntu2.5 sudo-ldap 1.7.0-1ubuntu2.5Ubuntu 10.04 LTS: sudo 1.7.2p1-1ubuntu5.2 sudo-ldap 1.7.2p1-1ubuntu5.2In general, a standard system update will make all the necessary changes.Details follow:Markus Wuethrich discovered that sudo did not always verify the user when agroup was specified in the Runas_Spec. A local attacker could exploit thisto execute arbitrary code as root if sudo was configured to allow theattacker to use a program as a group when the attacker was not a part ofthat group.





More...