Your submission was sent successfully! Close

CVE-2014-0106

Published: 11 March 2014

Sudo 1.6.9 before 1.8.5, when env_reset is disabled, does not properly check environment variables for the env_delete restriction, which allows local users with sudo permissions to bypass intended command restrictions via a crafted environment variable.

Notes

AuthorNote
jdstrand
Ubuntu uses env_reset by default
mdeslaur
low priority since this is only vulnerable in a non-default
configuration, and not using env_reset is insecure anyway.
Priority

Medium

Status

Package Release Status
sudo
Launchpad, Ubuntu, Debian
lucid
Released (1.7.2p1-1ubuntu5.7)
precise
Released (1.8.3p1-1ubuntu3.6)
quantal Not vulnerable
(1.8.5p2-1ubuntu1.1)
saucy Not vulnerable

upstream
Released (1.8.5)
Patches:
upstream: http://www.sudo.ws/repos/sudo/rev/748cefb49422