Ubuntu Security Notice 983-1 – Markus Wuethrich discovered that sudo did not always verify the user when a group was specified in the Runas_Spec. A local attacker could exploit this to execute arbitrary code as root if sudo was configured to allow the attacker to use a program as a group when the attacker was not a part of that group.
You can download this advisory from the following link: https://packetstormsecurity.com/files/download/93603/USN-983-1.txt
Source: https://packetstormsecurity.com/files/93603/Ubuntu-Security-Notice-983-1.html