FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

sudo -- potential privilege escalation via symlink misconfiguration

Affected packages
sudo < 1.8.15

Details

VuXML ID 2e8cdd36-c3cc-11e5-b5fe-002590263bf5
Discovery 2015-11-17
Entry 2016-01-26

MITRE reports:

sudoedit in Sudo before 1.8.15 allows local users to gain privileges via a symlink attack on a file whose full path is defined using multiple wildcards in /etc/sudoers, as demonstrated by "/home/*/*/file.txt."

References

CVE Name CVE-2015-5602
FreeBSD PR ports/206590
URL http://www.sudo.ws/stable.html#1.8.15
URL https://bugzilla.sudo.ws/show_bug.cgi?id=707
URL https://www.exploit-db.com/exploits/37710/