CVE-2015-8239

NameCVE-2015-8239
DescriptionThe SHA-2 digest support in the sudoers plugin in sudo after 1.8.7 allows local users with write permissions to parts of the called command to replace them before it is executed.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs805563

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sudo (PTS)jessie1.8.10p3-1+deb8u5vulnerable
jessie (security)1.8.10p3-1+deb8u6vulnerable
stretch1.8.19p1-2.1fixed
stretch (security)1.8.19p1-2.1+deb9u1fixed
buster, buster (security)1.8.27-1+deb10u1fixed
bullseye, sid1.8.29-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sudosource(unstable)1.8.17p1-1805563
sudosourcesqueeze(not affected)
sudosourcewheezy(not affected)

Notes

[jessie] - sudo <no-dsa> (Minor issue)
[wheezy] - sudo <not-affected> (Command digests are only supported by version 1.8.7 or higher)
[squeeze] - sudo <not-affected> (Command digests are only supported by version 1.8.7 or higher)
http://www.openwall.com/lists/oss-security/2015/11/10/2

Search for package or bug name: Reporting problems