Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 503586 (CVE-2014-0106) - <app-admin/sudo-1.8.5: certain environment variables not sanitized when env_reset is disabled (CVE-2014-0106)
Summary: <app-admin/sudo-1.8.5: certain environment variables not sanitized when env_r...
Alias: CVE-2014-0106
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa]
Depends on:
Reported: 2014-03-06 08:21 UTC by Agostino Sarubbo
Modified: 2014-06-27 09:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-03-06 08:21:57 UTC
From ${URL} :

It was found that, when the Sudo env_reset option was disabled (it is enabled by default), certain 
environment variables were not blacklisted as expected. A local user authorized to run commands using sudo 
could use this flaw to execute arbitrary code, allowing them to escalate their privileges.

This issue affects Sudo versions 1.6.9 to 1.8.4p5. Versions 1.8.5 and later are not affected.

@security: please file the request for the GLSA.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-04-28 19:46:32 UTC
CVE-2014-0106 (
  Sudo 1.6.9 before 1.8.5, when env_reset is disabled, does not properly check
  environment variables for the env_delete restriction, which allows local
  users with sudo permissions to bypass intended command restrictions via a
  crafted environment variable.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-06-18 23:55:20 UTC
New GLSA Request filed.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-06-27 09:32:21 UTC
This issue was resolved and addressed in
 GLSA 201406-30 at
by GLSA coordinator Mikle Kolyada (Zlogene).