The Debian Security Advisory posted a vulnerability in Debian that gives root access to unauthorized users. The team first announced the bug on October 14th. A patch is already in place to fix the problem. The bug is present in Raspbian—Pi users will also need the update.
The issue lies within the sudo program. The security log explains, "when configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, allows to run commands as root by specifying the user ID -1 or 4294967295. This could allow a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access.”
Pi users can check the current OS version using the following command in a terminal on the Pi.
apt show sudoIf you're running Buster, you need patch level 1.8.27-1+deb10u1. If you're Pi is still running Stretch, the patch level you need is 1.8.19p1-2.1+deb9u1.
To update your Pi to the latest patch, use this command:
sudo apt-get update && sudo apt-get upgradeDespite the severity of unauthorized root access, security experts, like Yanick Fratantonio insist the bug is overhyped. Exploiting the vulnerability would require very specific circumstances that most users won't encounter.
Unpopular (?) opinion: this sudo bug thingy is being extremely overhyped. I mean, it's a cool bug, but it seems relevant only in very very specific situations.
tweeted Yanick Fratantonio
It's still good practice to keep your OS up to date. You may not have to hurry, but you should still update your Pi or any Linux machine you've got running Debian. You can check the status of the sudo bug on the security tracking page.
