CVE-2014-0106
Published: 11 March 2014
Sudo 1.6.9 before 1.8.5, when env_reset is disabled, does not properly check environment variables for the env_delete restriction, which allows local users with sudo permissions to bypass intended command restrictions via a crafted environment variable.
Notes
Author | Note |
---|---|
jdstrand |
Ubuntu uses env_reset by default |
mdeslaur |
low priority since this is only vulnerable in a non-default configuration, and not using env_reset is insecure anyway. |
Priority
Status
Package | Release | Status |
---|---|---|
sudo
Launchpad, Ubuntu, Debian |
lucid |
Released
(1.7.2p1-1ubuntu5.7)
|
precise |
Released
(1.8.3p1-1ubuntu3.6)
|
|
quantal |
Not vulnerable
(1.8.5p2-1ubuntu1.1)
|
|
saucy |
Not vulnerable
|
|
upstream |
Released
(1.8.5)
|
|
Patches:
upstream: http://www.sudo.ws/repos/sudo/rev/748cefb49422 |