Debian Security Advisory

DLA-3181-1 sudo -- LTS security update

Date Reported:
07 Nov 2022
Affected Packages:
sudo
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2021-23239.
More information:

It was discovered that there was a information disclosure utility in sudo, a tool used to provide limited superuser privileges to specific users. A local unprivileged user may have been able to perform arbitrary directory-existence tests by exploiting a race condition in sudoedit.

  • CVE-2021-23239

    The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path.

For Debian 10 Buster, this problem has been fixed in version 1.8.27-1+deb10u4.

We recommend that you upgrade your sudo packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS