CVE-2014-0106

Publication date 11 March 2014

Last updated 24 July 2024

Ubuntu priority

Sudo 1.6.9 before 1.8.5, when env_reset is disabled, does not properly check environment variables for the env_delete restriction, which allows local users with sudo permissions to bypass intended command restrictions via a crafted environment variable.

Read the notes from the security team

Status

Show unmaintained releases

No maintained releases are affected by this CVE.

Package	Ubuntu Release	Status
sudo	13.10 saucy	Not affected
	12.10 quantal	Not affected
	12.04 LTS precise	Fixed 1.8.3p1-1ubuntu3.6
	10.04 LTS lucid	Fixed 1.7.2p1-1ubuntu5.7

Notes

jdstrand

Ubuntu uses env_reset by default

mdeslaur

low priority since this is only vulnerable in a non-default configuration, and not using env_reset is insecure anyway.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
sudo	Upstream: http://www.sudo.ws/repos/sudo/rev/748cefb49422

References

Related Ubuntu Security Notices (USN)