A flaw in exists in sudo's environment sanitizing prior to sudo version 1.6.8p12 that could allow a malicious user with permission to run a perl script to execute arbitrary perl code. Sudo versions affected: All versions prior to 1.6.8p12. Details: The PERL5LIB and PERLLIB environment variables can be used to provide a list of directories in which to look for perl library files before the system directories are searched. It is similar in concept to the LD_LIBRARY_PATH environment variables, only for perl. These variables are ignored if "tainting" is enabled (via the -T switch). The PERL5OPT environment variable specifies additional command line options to be passed to the script which may modify its behavior. Malicious users with sudo access to run a perl script can use these variables to include and execute their own library file with the same name as a system library file that is included (via the "use" or "require" directives) by the perl script run via sudo. Impact: Exploitation of the bug requires that perl be installed on the machine and that users be granted sudo access to run perl scripts that do not have tainting turned on. http://www.sudo.ws/sudo/alerts/perl_env.html I don't know if Ubuntu's patch is different or if it's just a matter of wording, but USN-235-1 explicitly expands it to other scripting languages: >This security update also filters out environment variables that can >be exploited similarly with Python, Ruby, and zsh scripts.
It's okay, we've been using env_reset by default for months, and I've also been stripping these additional variables since June in case an administrator re-enables env_reset. So, not vulnerable :)
