ohhhh – base scoring 7.8 – but only because it is a local issue, but are your users your friends? Affecting sudo legacy versions 1.8.2 through 1.8.31p2 and stable versions 1.9.0 through 1.9.5p1
It is quite easy to use this heap-based buffer overflow vulnerability and i hope it will be fixed in the next SRU30 for 11.4. Until SRU30 comes out, still might takes some days, you can use an IDR patch for Solaris – don’t know how long a new LSU build will take for 11.3 extended support.
Solaris 11.4 SRU29 -> idr4690.1
Solaris 11.3 LSU 36.24.0 -> idr4691.1
Solaris 10 ? -> Oracle says “pending resolution”
Oracle Support Document 2052590.1 (Reference Index of CVE IDs and Solaris Security IDRs) can be found at: https://support.oracle.com/epmos/faces/DocumentDisplay?id=2052590.1
Another reason why you should use pfexec on Solaris 😉
[UPDATE] 17-FEB 2021
Oracle released Solaris 11.4 update including the fixes for this sudo miracle -> Solaris 11.4 SRU 30 (220.127.116.11.3)
In May 2020 Oracle has announced the planned end of Solaris 11.3 Premier Support with October 2020 and thus postponed the end of July 2020 mentioned last year.
With the release of Solaris 11.4 in September 2018, the main stream of development was shifted to the latest version and many features and bug fixes were developed exclusively for the 11.4 release. At that time, Oracle also announced that many older systems would no longer be supported on Solaris 11.4. This affected the following systems in particular:
– Mx000 SPARC Enterprise Server with SPARC64 VI, VII or VII+ CPUs
– All systems with UltraSPARC T1, T2, T2+ and T3 CPUs
– Many old SunFire / Oracle x86 servers of the Vx0z, X2xx00, X4xxx0 or the X6xx0 & X8xx0 blade modules
– And all Netra servers of the above mentioned series (NEBS certification and ETSI compliance)
Many of these SPARC servers are still running in the customer environment and Oracle has listened to the community’s outcry at that time and provided so-called LSUs (Limited Support Updates) for Solaris 11.3. With the seventh LSU (18.104.22.168.0 from April 14, 2020) a last LSU could be released until October. After that, it seems that there will be no more fixes for 11.3 and only the continuous release model of Solaris 11.4 will be invested in. Although Oracle supports in the maintenance contract in the sense of infinite “Sustaining Support”, they will not offer stability or security patches for 11.3.
As a result, a mandatory upgrade to Solaris 11.4 will only work as described above if the servers use at least Oracle SPARC T4 or SPARC64 X CPUs.
Many customers are very reluctant to upgrade to 11.4 because Oracle has included many new features in the fourth version. But meanwhile I can absolutely recommend the upgrade without a guilty conscience. Many of my customers have been stable on 11.4 for many months and appreciate the features and the usual stability of their Solaris environments. No matter if we talk about single servers or SuperCluster implementations.