Todd Miller reports:
Sudoβs command matching routine expects actual commands to include
one or more slash (β/β) characters. The flaw is that sudoβs path
resolution code did not add a β./β prefix to commands found in the
current working directory. This creates an ambiguity between a
βsudoeditβ command found in the cwd and the βsudoeditβ
pseudo-command in the sudoers file. As a result, a user may be
able to run an arbitrary command named βsudoeditβ in the current
working directory. For the attack to be successful, the PATH
environment variable must include β.β and may not include any other
directory that contains a βsudoeditβ command.