A security announcement has been published by Sudo with patched versions rolling today
When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.
If a sudoers entry is written to allow the user to run a command as any user except root, the bug can be used to avoid this restriction. For example, given the following sudoers entry:
bob myhost = (ALL, !root) /usr/bin/vi
User bob is allowed to run vi as any user but root. However, due to the bug, bob is actually able to run vi as root by running sudo -u#-1 vi, violating the security policy.
Only sudoers entries where the ALL keyword is present in the Runas specifier are affected. For example, the following sudoers entry is unaffected:
alice myhost = /usr/bin/id
In this example, alice is only allowed to run the id command as root. Any attempt to run the command as a different user will be denied.