USN-2146-1: Sudo vulnerabilities

13 March 2014

Several security issues were fixed in Sudo.

Releases

Packages

  • sudo - Provide limited super user privileges to specific users

Details

Sebastien Macke discovered that Sudo incorrectly handled blacklisted
environment variables when the env_reset option was disabled. A local
attacker could use this issue to possibly run unintended commands by using
blacklisted environment variables. In a default Ubuntu installation, the
env_reset option is enabled by default. This issue only affected Ubuntu
10.04 LTS and Ubuntu 12.04 LTS. (CVE-2014-0106)

It was discovered that the Sudo init script set a date in the past on
existing timestamp files instead of using epoch to invalidate them
completely. A local attacker could possibly modify the system time to
attempt to reuse timestamp files. This issue only applied to Ubuntu
12.04 LTS, Ubuntu 12.10 and Ubuntu 13.10. (LP: #1223297)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 13.10
Ubuntu 12.10
Ubuntu 12.04
Ubuntu 10.04

In general, a standard system update will make all the necessary changes.