Okay, this article isn’t for the non-technically minded as it deals with the “sudo” command line tool that Apple ships with Mac OS X. The tool is used for authenticating as root without needing to actually enable the root account.
Anyway, Scott Anguish — WebObjects and Cocoa developer and the Web master of Stepwise — said that there’s a security issue with the version included, and it can be vulnerable to a buffer-overflow error.
Step by step instructions for creating a new version of sudo that has this issue fixed is now available on Stepwise. Use of the instructions requires a user being able to achieve ‘root’ access using the “sudo” command. You’ll need to be in the Admin group in order to do this.
Anguish also created an installer for this — a sudo upgrade installer — that can be found at Stepwise’s Softrak area. It’s a 122.1 kb file and doesn’t use Apple’s Installer.app. Anguish has written his own, which he’ll be releasing soon.
“Sudo allows users (or groups of users) the ability to run commands as root while logging all commands and arguments,” Anguish said. “Recently a potential security issue has been discovered with the unix command-line tool sudo. The specific problem is referred to as a ‘buffer overrun.’ A malicious user could enter too much information into the application, causing it to crash, and potentially execute commands.”
Softrak is Stepwise’s software database that tracks applications for Apple’s high-end software platforms. It’s designed to make it easy for users and developers to locate software available for Mac OS X, Mac OS X Server, OpenStep, and WebObjects. Also, you may wish to see our April 10 report on Mac OS X Installer issues.