[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 160-1] sudo security update

Package        : sudo
Version        : 1.7.4p4-2.squeeze.5
CVE ID         : CVE-2014-0106 CVE-2014-9680
Debian Bug     : #772707

This update fixes the CVEs described below.


    Todd C. Miller reported that if the env_reset option is disabled
    in the sudoers file, the env_delete option is not correctly
    applied to environment variables specified on the command line.  A
    malicious user with sudo permissions may be able to run arbitrary
    commands with elevated privileges by manipulating the environment
    of a command the user is legitimately allowed to run.


    Jakub Wilk reported that sudo preserves the TZ variable from a
    user's environment without any sanitization. A user with sudo
    access may take advantage of this to exploit bugs in the C library
    functions which parse the TZ environment variable or to open files
    that the user would not otherwise be able to open. The latter
    could potentially cause changes in system behavior when reading
    certain device special files or cause the program run via sudo to

For the oldstable distribution (squeeze), these problems have been fixed
in version 1.7.4p4-2.squeeze.5.

For the stable distribution (wheezy), they have been fixed in version

We recommend that you upgrade your sudo packages.

Ben Hutchings - Debian developer, kernel team member

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: