Courtesan Information for VU#820083

sudo vulnerable to heap corruption via -p parameter



Vendor Statement

Date: Thu, 25 Apr 2002 10:34:13 -0600
From: Todd C. Miller <>
Subject: Sudo version 1.6.6 now available

Sudo version 1.6.6 is now available (ftp sites listed at the end).

Changes since Sudo 1.6.5p2:

o Fixed compilation problem on HP-UX 9.x.

o Moved call to endpwent() and added a call to endgrent().

o Fixed a warning conflicting declaration of VOID with AFS.

o Fixed a security hole in prompt rewriting found by Global InterSec.

Please note that Sudo 1.6.6 fixes a security hole present in sudo
versions 1.5.7 - 1.6.5p2. Please see:
for details.

sudo 1.6.6 distribution:

Master WWW site:

Mirrors (not yet updated)

WWW Mirrors: (Los Angeles, California, USA) (Fanwood, New Jersey, USA) (Australia) (Russia)

Master FTP sites:

FTP Mirrors: (Boulder, Colorado, USA) (Los Angeles, California, USA) (Falls Church, Virginia, USA) (Beltsville, Maryland, USA) (West Lafayette, Indiana, USA) (Bloomington, Indiana, USA) (Ypsilanti, Michigan, USA) (College Station, Texas, USA) (Rochester, New York, USA) (Fanwood, New Jersey, USA) (Australia) (Austria) (Alberta, Canada) (Hong Kong, China) (Czechoslovakia) (Great Britain) (Finland) (France) (France) (Germany) (Japan) (Japan) (Japan) (Japan) (Japan) (Japan) (Japan) (Japan) (Japan) (Japan) (Makati City, Philippines) (Poland) (Romania) (Russia) (Russia) (Sweden) (Sweden) (Taiwan) (Turkey)

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References



The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.