USN-28-1: sudo vulnerability
18 November 2004
Liam Helmer discovered an input validation flaw in sudo. When the
standard shell "bash" starts up, it searches the environment for
variables with a value beginning with "()". For each of these
variables a function with the same name is created, with the function
body filled in from the environment variable's value.
A malicious user with sudo access to a shell script that uses bash can
use this feature to substitute arbitrary commands for any
non-fully-qualified programs called from the script. Therefore this
flaw can lead to privilege escalation.
The problem can be corrected by updating your system to the following package versions:
In general, a standard system update will make all the necessary changes.