CVE-2014-0106

Published: 11 March 2014

Sudo 1.6.9 before 1.8.5, when env_reset is disabled, does not properly check environment variables for the env_delete restriction, which allows local users with sudo permissions to bypass intended command restrictions via a crafted environment variable.

Priority

Medium

Status

Package Release Status
sudo
Launchpad, Ubuntu, Debian
Upstream
Released (1.8.5)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable

Patches:
Upstream: http://www.sudo.ws/repos/sudo/rev/748cefb49422

Notes

AuthorNote
jdstrand
Ubuntu uses env_reset by default
mdeslaur
low priority since this is only vulnerable in a non-default
configuration, and not using env_reset is insecure anyway.

References