Gentoo Linux Security Advisory 201203-6 - Two vulnerabilities have been discovered in sudo, allowing local attackers to possibly gain escalated privileges. Versions less than 1.8.3_p2 are affected.
1a5fc85ff948260a7509a11c8d46123635e981c62090a8dc757d025322b5808d
Red Hat Security Advisory 2012-0309-03 - The sudo utility allows system administrators to give certain users the ability to run commands as root. A flaw was found in the sudo password checking logic. In configurations where the sudoers settings allowed a user to run a command using sudo with only the group ID changed, sudo failed to prompt for the user's password before running the specified command with the elevated group privileges. Various other issues have also been addressed in this advisory.
a827591da4fea2ba8c870bb76c75ed69cda355d31fcd569f1ba1cd76fc27be43
Mandriva Linux Security Advisory 2011-018 - A patch for parse.c in sudo does not properly interpret a system group in the sudoers file during authorization decisions for a user who belongs to that group, which allows local users to leverage an applicable sudoers file and gain root privileges via a sudo command. NOTE: this vulnerability exists because of a CVE-2009-0034 regression. check.c in sudo 1.7.x before 1.7.4p5, when a Runas group is configured, does not require a password for command execution that involves a gid change but no uid change, which allows local users to bypass an intended authentication requirement via the -g option to a sudo command.
d8fd379e68953f4a687be7bb6ecff5da28e252ae6870a740003011ee2ac4751e
Ubuntu Security Notice 1046-1 - Alexander Kurtz discovered that sudo would not prompt for a password when a group was specified in the Runas_Spec. A local attacker could exploit this to execute arbitrary code as the specified group if sudo was configured to allow the attacker to use a program as this group. The group Runas_Spec is not used in the default installation of Ubuntu.
cbd17cefa0607c1ef33b6ed2f963d362ae7aa92f029fde75d8d407dd186609fa