CVE-2015-8239

NameCVE-2015-8239
DescriptionThe SHA-2 digest support in the sudoers plugin in sudo after 1.8.7 allows local users with write permissions to parts of the called command to replace them before it is executed.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: local)
Debian Bugs805563

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sudo (PTS)jessie1.8.10p3-1+deb8u5vulnerable
jessie (security)1.8.10p3-1+deb8u4vulnerable
stretch1.8.19p1-2.1fixed
bullseye, sid, buster1.8.27-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sudosource(unstable)1.8.17p1-1medium805563
sudosourcesqueeze(not affected)
sudosourcewheezy(not affected)

Notes

[jessie] - sudo <no-dsa> (Minor issue)
[wheezy] - sudo <not-affected> (Command digests are only supported by version 1.8.7 or higher)
[squeeze] - sudo <not-affected> (Command digests are only supported by version 1.8.7 or higher)
http://www.openwall.com/lists/oss-security/2015/11/10/2

Search for package or bug name: Reporting problems