Security issue in Sudo 1.6.9 through 1.6.9p19

Summary:
    A bug was introduced in Sudo's group matching code in version
    1.6.9 when support for matching based on the supplemental group
    vector was added.  This bug may allow certain users listed in
    the sudoers file to run a command as a different user than their
    access rule specifies.

Sudo versions affected:
    Sudo versions 1.6.9 up to and including 1.6.9p19.
    Sudo version 1.7.0 is not affected.

CVE ID:
    This vulnerability has been assigned CVE 2009-0034 in the Common
    Vulnerabilities and Exposures database.

Details:
    Given a sudoers rule like the following:

	bob ALL=(%users) ALL

    user bob should only be able to run commands as a user that
    is a member of the Unix group users.

    However, due to the bug, if bob is himself a member of users,
    he will actually be able to run a command as any user.

Impact:
    The bug only impacts sudoers configurations where a Unix group
    is used in the RunAs list, which is (%users) in the example above.