CVE-2019-19232

NameCVE-2019-19232
DescriptionIn Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs947225

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sudo (PTS)jessie, jessie (lts)1.8.10p3-1+deb8u9vulnerable
stretch (security)1.8.19p1-2.1+deb9u3vulnerable
stretch (lts), stretch1.8.19p1-2.1+deb9u6vulnerable
buster (security), buster, buster (lts)1.8.27-1+deb10u6vulnerable
bullseye (security), bullseye1.9.5p2-3+deb11u1fixed
bookworm1.9.13p3-1+deb12u1fixed
sid, trixie1.9.16p1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sudosource(unstable)1.8.31-1unimportant947225

Notes

https://www.sudo.ws/devel.html#1.8.30b2
Sudo 1.8.30 introduces an option to enable/disable the behavior.
[wheezy] - sudo <no-dsa> (Minor issue, requires Runas ALL access)

Search for package or bug name: Reporting problems