Sudo versions 1.7.2p7 and 1.6.9p23 are now available. These releases fix a flaw that may allow an attacker to bypass the "secure path" feature if it is enabled. Summary: Sudo "secure path" feature works by replacing the PATH environment variable with a value specified in the sudoers file, or at compile time if the --with-secure-path configure option is used. The flaw is that sudo only replaces the first instance of PATH in the environment. If the program being run through sudo uses the last instance of PATH in the environment, an attacker may be able to avoid the "secure path" restrictions. Sudo versions affected: Sudo 1.3.1 through 1.6.9p22 and Sudo 1.7.0 through 1.7.2p6. Download links: http://www.sudo.ws/sudo/dist/sudo-1.7.2p7.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.7.2p7.tar.gz http://www.sudo.ws/sudo/dist/sudo-1.6.9p23.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.9p23.tar.gz Details: Most versions of the C library function getenv() return the first instance of an environment variable to the caller. However, some programs, notably the GNU Bourne Again SHell (bash), do their own environment parsing and may choose the last instance of a variable rather than the first one. An attacker may manipulate the environment of the process that executes Sudo such that a second PATH variable is present. When Sudo runs a bash script, it is this second PATH variable that is used by bash, regardless of whether or not Sudo has overwritten the first instance of PATH. This may allow an attacker to subvert the program being run under Sudo and execute commands he/she would not otherwise be allowed to run. Impact: Exploitation of the bug requires that Sudo be configured with the "secure path" option enabled, either at build-time (via configure) or at run-time (via sudoers). It also requires that the user be granted permission to run a command that does its own environment handling, such as a bash script, and that this command does not set PATH itself. If the "secure path" feature is not in use there is no impact. Credit: Evan Broder and Anders Kaseorg of Ksplice, Inc. See Also: http://www.sudo.ws/sudo/alerts/secure_path.html
Arches, please test and mark stable: =app-admin/sudo-1.7.2_p7 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
x86 stable
Stable for HPPA.
alpha/arm/ia64/m68k/s390/sh/sparc stable
amd64 stable
Marked ppc/ppc64 stable.
GLSA request filed
CVE-2010-1646 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1646): The secure path feature in env.c in sudo 1.3.1 through 1.6.9p22 and 1.7.0 through 1.7.2p6 does not properly handle an environment that contains multiple PATH variables, which might allow local users to gain privileges via a crafted value of the last PATH variable.
GLSA 201009-03
