Summary: | <app-admin/sudo-1.8.5: certain environment variables not sanitized when env_reset is disabled (CVE-2014-0106) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | base-system |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1071780 | ||
Whiteboard: | B1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-03-06 08:21:57 UTC
CVE-2014-0106 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0106): Sudo 1.6.9 before 1.8.5, when env_reset is disabled, does not properly check environment variables for the env_delete restriction, which allows local users with sudo permissions to bypass intended command restrictions via a crafted environment variable. New GLSA Request filed. This issue was resolved and addressed in GLSA 201406-30 at http://security.gentoo.org/glsa/glsa-201406-30.xml by GLSA coordinator Mikle Kolyada (Zlogene). |