| Summary: | <app-admin/sudo-1.8.5: certain environment variables not sanitized when env_reset is disabled (CVE-2014-0106) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | base-system |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1071780 | ||
| Whiteboard: | B1 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
CVE-2014-0106 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0106): Sudo 1.6.9 before 1.8.5, when env_reset is disabled, does not properly check environment variables for the env_delete restriction, which allows local users with sudo permissions to bypass intended command restrictions via a crafted environment variable. New GLSA Request filed. This issue was resolved and addressed in GLSA 201406-30 at http://security.gentoo.org/glsa/glsa-201406-30.xml by GLSA coordinator Mikle Kolyada (Zlogene). |
From ${URL} : It was found that, when the Sudo env_reset option was disabled (it is enabled by default), certain environment variables were not blacklisted as expected. A local user authorized to run commands using sudo could use this flaw to execute arbitrary code, allowing them to escalate their privileges. This issue affects Sudo versions 1.6.9 to 1.8.4p5. Versions 1.8.5 and later are not affected. @security: please file the request for the GLSA.