sudo before version 1.8.18p1 is vulnerable to a bypass in the sudo noexec restriction if application run via sudo executed wordexp() C library function with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could possibly use this flaw to execute arbitrary commands with elevated privileges.
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Sudo | Sudo_project | 1.6.8 (including) | 1.8.18 (including) |
| Red Hat Enterprise Linux 6 | RedHat | sudo-0:1.8.6p3-25.el6_8 | * |
| Red Hat Enterprise Linux 7 | RedHat | sudo-0:1.8.6p7-21.el7_3 | * |
| Sudo | Ubuntu | esm-infra-legacy/trusty | * |
| Sudo | Ubuntu | esm-infra/xenial | * |
| Sudo | Ubuntu | precise | * |
| Sudo | Ubuntu | precise/esm | * |
| Sudo | Ubuntu | trusty | * |
| Sudo | Ubuntu | trusty/esm | * |
| Sudo | Ubuntu | upstream | * |
| Sudo | Ubuntu | vivid/stable-phone-overlay | * |
| Sudo | Ubuntu | vivid/ubuntu-core | * |
| Sudo | Ubuntu | xenial | * |
| Sudo | Ubuntu | yakkety | * |