Agazzini Maurizio

**Name of the Vulnerable Software and Affected Versions** sudo versions 1.6.8 through 1.7.2p5 sudo version 1.7.2 p6 and earlier **Description** The issue concerns a command matching functionality problem in sudo, where a file in the current working directory with the same name as a pseudo-command in the sudoers file can be exploited if the PATH contains an entry for ".". This allows local users to execute arbitrary commands via a Trojan horse executable. For example, this can be demonstrated using `sudoedit`. The exploitation of this issue can lead to a breach of confidentiality, integrity, and availability of protected information. **Recommendations** For versions 1.6.8 through 1.7.2p5, update to version 1.7.2 p6 or later to resolve the issue. For version 1.7.2 p6 and earlier, update to a version later than 1.7.2 p6 to mitigate the risk. As a temporary workaround, consider restricting the use of the `sudoedit` function and ensuring that the PATH environment variable does not contain an entry for "." to minimize the risk of exploitation.