Re: [PLUG] Sudo flaw

prushik--- via plug on 14 Oct 2019 20:59:27 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Sudo flaw

From: prushik--- via plug <plug@lists.phillylinux.org>
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] Sudo flaw
Date: Mon, 14 Oct 2019 23:59:14 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:user-agent:in-reply-to:references:mime-version :content-transfer-encoding:subject:to:from:message-id; bh=GJSlAyII9bwjj1fn8YI/BMb+ClfEa6aYeRPl2u97nOU=; b=f0utNJw+85w6Rg2GH3Y79uU29PyqSorPHOWZqzHTLeFmZAKvwm6QX9kB/xPeo2Tg9U K3ypQno0qPp/Smlx/w0D7cuCYxoC6VojQVKHRbtQFExB1WyHki05w08009l4nr/j2FQF nLr0z6PeABu282J1qSeYFuhdL6yzbcjJf/mNj501IsTh4yQLqla/UFP0VvJZzHpsVaoj tCWOo+llpptkt9MsJzhYpcP5UNcbqx8LrCErf9eDturB0epPbfFLuW36dqrHFzuKvKyO M0J2Y+JiUcv+WcS4yFdB5jyjBqjwOf3CM524IPgKxohtaH9Ih0d7jPz4P5vsbolLmoyl DnqQ==
Reply-to: prushik@gmail.com
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: K-9 Mail for Android

>On 10/14/19 7:58 PM, Joe Rosato via plug wrote:
>> The Hacker News (@TheHackersNews) tweeted at 2:32 PM on Mon, Oct 14,
>2019:
>> 🔥 CVE-2019-14287
>> 
>> A flaw in Sudo—that comes installed on almost every #Linux OS—could
>let 
>> users run commands as "root" even when they're restricted.
>> 
>> Details ➤ https://t.co/NeFvITBR73
>> 
>> How? Just by specifying user ID "-1" or "4294967295" in the command 
>> instead of the root. 

Oh goodness, better upgrade sudo as soon as possible!
oh, but wait, I don't use sudo to grant access to all users except root, so this doesn't apply to me... or anybody at all for that matter, because it doesn't make any sense to ever configure sudoers that way.
I though CVE meant *common* vulnerability and exposure.
Has anybody ever _even once_ written a sudoers file like this? If not it seems more like misconfiguration than a vulnerability. a sudo bug, for sure, but the exploitable setup doesn't seem at all realistic.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] Sudo flaw
  - From: Walt Mankowski via plug <plug@lists.phillylinux.org>

References:
- [PLUG] Sudo flaw
  - From: Joe Rosato via plug <plug@lists.phillylinux.org>
- Re: [PLUG] Sudo flaw
  - From: JP Vossen via plug <plug@lists.phillylinux.org>

Prev by Date: Re: [PLUG] Sudo flaw
Next by Date: Re: [PLUG] Sudo flaw
Previous by thread: Re: [PLUG] Sudo flaw
Next by thread: Re: [PLUG] Sudo flaw
Index(es):
- Date
- Thread