CVE-2010-1163

Name of the Vulnerable Software and Affected Versions sudo versions 1.6.8 through 1.7.2p5 sudo version 1.7.2 p6 and earlier

Description The issue concerns a command matching functionality problem in sudo, where a file in the current working directory with the same name as a pseudo-command in the sudoers file can be exploited if the PATH contains an entry for ".". This allows local users to execute arbitrary commands via a Trojan horse executable. For example, this can be demonstrated using sudoedit. The exploitation of this issue can lead to a breach of confidentiality, integrity, and availability of protected information.

Recommendations For versions 1.6.8 through 1.7.2p5, update to version 1.7.2 p6 or later to resolve the issue. For version 1.7.2 p6 and earlier, update to a version later than 1.7.2 p6 to mitigate the risk. As a temporary workaround, consider restricting the use of the sudoedit function and ensuring that the PATH environment variable does not contain an entry for "." to minimize the risk of exploitation.