"A hole in the sudo command's debug options has been fixed by the
developers. The problem, discovered by joernchen of phenoelit,
affects sudo versions 1.8.0 to 1.8.3p1. The security hole appeared in
version 1.8.0 when a new simple debugging option was added. A number
of well-known techniques exist for exploiting the format string
vulnerability that would, in turn, allow an attacker to leverage
sudo's root privileges and, without even being listed in the sudoers
file, gain that privilege and run arbitrary commands as root.
The developers have released Sudo 1.8.3p2 as source codeDirect
download, and they are updating their own downloadable binary
releases for AIX, Centos, Debian, HP-UX, RHEL, SUSE, Solaris, Tru 64
and Ubuntu. Linux distributions that include sudo by default are also
being updated. Fixes for Debian, Gentoo, Mageia are being prepared or
have been released. The flaw does not affect Red Hat Enterprise Linux
4, 5 or 6 as, according to Red Hat, they did not ship with the
vulnerable version of sudo. but Fedora 16 is affected and an updated
package will be made available soon. Mac OS X 10.7 is unaffected as
it still ships with sudo version 1.7.4p6."
It is recommended that vulnerable versions of sudo be updated to avoid unauthorized privilege escalation.