Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 322517 - <app-admin/sudo-1.7.2_p7: Privilege escalation (CVE-2010-1646)
Summary: <app-admin/sudo-1.7.2_p7: Privilege escalation (CVE-2010-1646)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
Whiteboard: A1 [glsa]
Depends on:
Reported: 2010-06-02 22:11 UTC by Diego Elio Pettenò (RETIRED)
Modified: 2010-09-07 12:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Diego Elio Pettenò (RETIRED) gentoo-dev 2010-06-02 22:11:05 UTC
Sudo versions 1.7.2p7 and 1.6.9p23 are now available.  These releases
fix a flaw that may allow an attacker to bypass the "secure path"
feature if it is enabled.

    Sudo "secure path" feature works by replacing the PATH environment
    variable with a value specified in the sudoers file, or at
    compile time if the --with-secure-path configure option is used.
    The flaw is that sudo only replaces the first instance of PATH
    in the environment.  If the program being run through sudo uses
    the last instance of PATH in the environment, an attacker may
    be able to avoid the "secure path" restrictions.

Sudo versions affected:
    Sudo 1.3.1 through 1.6.9p22 and Sudo 1.7.0 through 1.7.2p6.

Download links:

    Most versions of the C library function getenv() return the
    first instance of an environment variable to the caller.  However,
    some programs, notably the GNU Bourne Again SHell (bash), do
    their own environment parsing and may choose the last instance
    of a variable rather than the first one.

    An attacker may manipulate the environment of the process that
    executes Sudo such that a second PATH variable is present.  When
    Sudo runs a bash script, it is this second PATH variable that
    is used by bash, regardless of whether or not Sudo has overwritten
    the first instance of PATH.  This may allow an attacker to
    subvert the program being run under Sudo and execute commands
    he/she would not otherwise be allowed to run.

    Exploitation of the bug requires that Sudo be configured with
    the "secure path" option enabled, either at build-time (via
    configure) or at run-time (via sudoers).  It also requires that
    the user be granted permission to run a command that does its
    own environment handling, such as a bash script, and that this
    command does not set PATH itself.

    If the "secure path" feature is not in use there is no impact.

    Evan Broder and Anders Kaseorg of Ksplice, Inc.

See Also:
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2010-06-03 12:54:28 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 2 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-06-03 13:39:00 UTC
x86 stable
Comment 3 Jeroen Roovers gentoo-dev 2010-06-03 15:49:53 UTC
Stable for HPPA.
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2010-06-05 14:54:00 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 5 Christoph Mende (RETIRED) gentoo-dev 2010-06-06 15:09:55 UTC
amd64 stable
Comment 6 Joe Jezak (RETIRED) gentoo-dev 2010-06-07 05:02:10 UTC
Marked ppc/ppc64 stable.
Comment 7 Matthias Geerdsen (RETIRED) gentoo-dev 2010-06-13 19:16:42 UTC
GLSA request filed
Comment 8 Matthias Geerdsen (RETIRED) gentoo-dev 2010-06-14 22:17:42 UTC
CVE-2010-1646 (
  The secure path feature in env.c in sudo 1.3.1 through 1.6.9p22 and
  1.7.0 through 1.7.2p6 does not properly handle an environment that
  contains multiple PATH variables, which might allow local users to
  gain privileges via a crafted value of the last PATH variable.

Comment 9 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-09-07 12:10:18 UTC
GLSA 201009-03