CVE-2014-9680

Published: 31 December 2014

sudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file, which allows local users to open arbitrary files for read access (but not view file contents) by running a program within an sudo session, as demonstrated by interfering with terminal output, discarding kernel-log messages, or repositioning tape drives.

Priority

Medium

CVSS 3 base score: 3.3

Status

Package Release Status
sudo
Launchpad, Ubuntu, Debian
Upstream
Released (1.7.10p9, 1.8.12)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.8.9p5-1ubuntu1.1)
Patches:
Upstream: http://www.sudo.ws/repos/sudo/rev/650ac6938b59 (1.8)
Upstream: http://www.sudo.ws/repos/sudo/rev/ac1467f71ac0 (1.8)
Upstream: http://www.sudo.ws/repos/sudo/rev/91859f613b88 (1.8)
Upstream: http://www.sudo.ws/repos/sudo/rev/579b02f0dbe0 (1.8)
Upstream: http://www.sudo.ws/repos/sudo/rev/33b545d19c03 (1.7)