Debian Long Term Support / LTS Security Information / 2022 / Security Information -- DLA-3181-1 sudo

Debian Security Advisory

DLA-3181-1 sudo -- LTS security update

Date Reported:

07 Nov 2022

Affected Packages:

sudo

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2021-23239.

More information:

It was discovered that there was a information disclosure utility in sudo, a tool used to provide limited superuser privileges to specific users. A local unprivileged user may have been able to perform arbitrary directory-existence tests by exploiting a race condition in sudoedit.

• CVE-2021-23239

  The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path.

For Debian 10 Buster, this problem has been fixed in version 1.8.27-1+deb10u4.

We recommend that you upgrade your sudo packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS