Sudo Bug That Gave Users Root Access Fixed in Latest Debian Patch

The Debian Security Advisory posted a vulnerability in Debian that gives root access to unauthorized users. The team first announced the bug on October 14th. A patch is already in place to fix the problem. The bug is present in Raspbian—Pi users will also need the update.

The issue lies within the sudo program. The security log explains, "when configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, allows to run commands as root by specifying the user ID -1 or 4294967295. This could allow a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access.”

apt show sudo

If you're running Buster, you need patch level 1.8.27-1+deb10u1. If you're Pi is still running Stretch, the patch level you need is 1.8.19p1-2.1+deb9u1.

To update your Pi to the latest patch, use this command:

sudo apt-get update && sudo apt-get upgrade

Despite the severity of unauthorized root access, security experts, like Yanick Fratantonio insist the bug is overhyped. Exploiting the vulnerability would require very specific circumstances that most users won't encounter.

Unpopular (?) opinion: this sudo bug thingy is being extremely overhyped. I mean, it's a cool bug, but it seems relevant only in very very specific situations.
tweeted Yanick Fratantonio

It's still good practice to keep your OS up to date. You may not have to hurry, but you should still update your Pi or any Linux machine you've got running Debian. You can check the status of the sudo bug on the security tracking page.

TOPICS

Ash Hill is a contributing writer for Tom's Hardware with a wealth of experience in the hobby electronics, 3D printing and PCs. She manages the Pi projects of the month and much of our daily Raspberry Pi reporting while also finding the best coupons and deals on all tech.