CVE-2014-2886

Publication date 18 September 2014

Last updated 24 July 2024

Ubuntu priority

Low

Why this priority?

Description

GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during installation of a VirtualBox extension pack.

Read the notes from the security team

Status

Package Ubuntu Release Status
gksu 25.10 questing Not in release
25.04 plucky Not in release
24.10 oracular Not in release
24.04 LTS noble Not in release
23.10 mantic Not in release
23.04 lunar Not in release
22.10 kinetic Not in release
22.04 LTS jammy Not in release
21.10 impish Not in release
21.04 hirsute Not in release
20.10 groovy Not in release
20.04 LTS focal Not in release
19.10 eoan Not in release
19.04 disco Not in release
18.10 cosmic Not in release
18.04 LTS bionic Not in release
17.10 artful Ignored end of life
17.04 zesty Ignored end of life
16.10 yakkety Ignored end of life
16.04 LTS xenial
Vulnerable
15.10 wily Ignored end of life
15.04 vivid Ignored end of life
14.10 utopic Ignored end of life
14.04 LTS trusty
Vulnerable
12.04 LTS precise Ignored end of life
10.04 LTS lucid Ignored end of life

Notes

mdeslaur

in Ubuntu, sudo-mode is the default, and the root account has no password. On top of that, the fault actually lies in VirtualBox that is not properly escaping the filename before calling gksu.

References

Other references