CVE-2015-5602 - http://www.sudo.ws/stable.html#1.8.15
The example @ https://www.exploit-db.com/exploits/37710/ show there are some unique configurations (and dangerous on the part of the system administrator) that lead to this. From the looks of things in https://bugzilla.redhat.com/show_bug.cgi?id=1277426, the fix in 1.8.15 is incomplete and there were some additional commits added upstream for the next release. The 1.8.15 test does at least address the example in exploitdb but it's probably worth looking a little bit closer.
A commit references this bug: Author: junovitch Date: Tue Jan 26 01:36:26 UTC 2016 New revision: 407251 URL: https://svnweb.freebsd.org/changeset/ports/407251 Log: Document potential privilege escalation via symlink misconfiguration in sudo PR: 206592 Reported by: Sevan Janiyan <venture37@geeklan.co.uk> Security: CVE-2015-5602 Security: https://vuxml.FreeBSD.org/freebsd/2e8cdd36-c3cc-11e5-b5fe-002590263bf5.html Changes: head/security/vuxml/vuln.xml
Renato, I'm going to take for monitoring (and drop needs-patch). security/sudo has been 1.8.15 since November 2015 and no action is needed at the moment. Since the issue shown at https://www.exploit-db.com/exploits/37710/ is fixed in 1.8.15 this is all technically correct with the information at hand. I can replicate this and get an error on 1.8.15: sudoedit: /home/jason/newdir/test.txt: Too many links However, I don't know yet if a second CVE will be assigned for the possible incomplete fix mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1277426 or if the current CVE will apply and this can be amended. It's also worth noting this is marked as a WONTFIX for RHEL in the referenced bug report given the insecure configuration that causes it.
Close. I see no indication CVE-2015-5602 has changed status in the NVD database. The changelog for 1.8.16 and upstream bug mentions additional fixes related to the issue but the incomplete fix would normally be a second CVE. As such close until such a time that a second CVE gets assigned.