CVE-2014-0106

Publication date 11 March 2014

Last updated 24 July 2024

Ubuntu priority

Medium

Why this priority?

Sudo 1.6.9 before 1.8.5, when env_reset is disabled, does not properly check environment variables for the env_delete restriction, which allows local users with sudo permissions to bypass intended command restrictions via a crafted environment variable.

Read the notes from the security team

Status

Package Ubuntu Release Status
sudo 13.10 saucy
Not affected
12.10 quantal
Not affected
12.04 LTS precise
Fixed 1.8.3p1-1ubuntu3.6
10.04 LTS lucid
Fixed 1.7.2p1-1ubuntu5.7

Notes

jdstrand

Ubuntu uses env_reset by default

mdeslaur

low priority since this is only vulnerable in a non-default configuration, and not using env_reset is insecure anyway.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
sudo

References

Related Ubuntu Security Notices (USN)

Other references