Lucene search

K
osvGoogleOSV:DLA-160-1
HistoryFeb 27, 2015 - 12:00 a.m.

sudo - security update

2015-02-2700:00:00
Google
osv.dev
7

3.3 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

6.6 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:S/C:C/I:C/A:C

This update fixes the CVEs described below.

  • CVE-2014-0106
    Todd C. Miller reported that if the env_reset option is disabled
    in the sudoers file, the env_delete option is not correctly
    applied to environment variables specified on the command line. A
    malicious user with sudo permissions may be able to run arbitrary
    commands with elevated privileges by manipulating the environment
    of a command the user is legitimately allowed to run.
  • CVE-2014-9680
    Jakub Wilk reported that sudo preserves the TZ variable from a
    user’s environment without any sanitization. A user with sudo
    access may take advantage of this to exploit bugs in the C library
    functions which parse the TZ environment variable or to open files
    that the user would not otherwise be able to open. The latter
    could potentially cause changes in system behavior when reading
    certain device special files or cause the program run via sudo to
    block.

For the oldstable distribution (squeeze), these problems have been fixed
in version 1.7.4p4-2.squeeze.5.

For the stable distribution (wheezy), they have been fixed in version
1.8.5p2-1+nmu2.

We recommend that you upgrade your sudo packages.

3.3 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

6.6 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:S/C:C/I:C/A:C

Related for OSV:DLA-160-1