From ${URL} : It was found that, when the Sudo env_reset option was disabled (it is enabled by default), certain environment variables were not blacklisted as expected. A local user authorized to run commands using sudo could use this flaw to execute arbitrary code, allowing them to escalate their privileges. This issue affects Sudo versions 1.6.9 to 1.8.4p5. Versions 1.8.5 and later are not affected. @security: please file the request for the GLSA.
CVE-2014-0106 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0106): Sudo 1.6.9 before 1.8.5, when env_reset is disabled, does not properly check environment variables for the env_delete restriction, which allows local users with sudo permissions to bypass intended command restrictions via a crafted environment variable.
New GLSA Request filed.
This issue was resolved and addressed in GLSA 201406-30 at http://security.gentoo.org/glsa/glsa-201406-30.xml by GLSA coordinator Mikle Kolyada (Zlogene).
