CVE-2016-7076

Published: 29 May 2018

sudo before version 1.8.18p1 is vulnerable to a bypass in the sudo noexec restriction if application run via sudo executed wordexp() C library function with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could possibly use this flaw to execute arbitrary commands with elevated privileges.

Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
sudo
Launchpad, Ubuntu, Debian
Upstream
Released (1.8.18p1)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(1.8.19p1-1ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(1.8.19p1-1ubuntu1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1.8.19p1-1ubuntu1)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (1.8.16-0ubuntu1.6)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.8.9p5-1ubuntu1.5+esm5)
Ubuntu 12.04 ESM (Precise Pangolin) Needed

Patches:
Upstream: https://www.sudo.ws/repos/sudo/rev/e7d09243e51b
Upstream: https://www.sudo.ws/repos/sudo/rev/7b8357b0a358
Upstream: https://www.sudo.ws/repos/sudo/rev/167a518d8129
Upstream: https://www.sudo.ws/repos/sudo/rev/59d76bdc0f0c
Upstream: https://www.sudo.ws/repos/sudo/rev/5d88d7cda853
Upstream: https://www.sudo.ws/repos/sudo/rev/120a317ce25b

Notes

AuthorNote
sarnold See also CVE-2016-7032 This alert mentions a seccomp-based filter. If we decide to backport that filter for this CVE, and CVE-2016-7032, then 'medium' may continue to be appropriate. If we decide the seccomp-based filter is not suitable for a backport, then perhaps 'negligible' would be appropriate.

References