Packages
- sudo - Provide limited super user privileges to specific users
Details
Sebastien Macke discovered that Sudo incorrectly filtered environment
variables when the env_reset option was disabled. A local attacker could
use this issue to possibly run unintended commands by using environment
variables that were intended to be blocked. In a default Ubuntu
installation, the env_reset option is enabled by default. This issue only
affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2014-0106)
It was discovered that the Sudo init script set a date in the past on
existing timestamp files instead of using epoch to invalidate them
completely. A local attacker could possibly modify the system time to
attempt to reuse timestamp files. This issue only applied to Ubuntu
12.04 LTS, Ubuntu 12.10 and Ubuntu 13.10. (LP: #1223297)
Sebastien Macke discovered that Sudo incorrectly filtered environment
variables when the env_reset option was disabled. A local attacker could
use this issue to possibly run unintended commands by using environment
variables that were intended to be blocked. In a default Ubuntu
installation, the env_reset option is enabled by default. This issue only
affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2014-0106)
It was discovered that the Sudo init script set a date in the past on
existing timestamp files instead of using epoch to invalidate them
completely. A local attacker could possibly modify the system time to
attempt to reuse timestamp files. This issue only applied to Ubuntu
12.04 LTS, Ubuntu 12.10 and Ubuntu 13.10. (LP: #1223297)
Update instructions
In general, a standard system update will make all the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
Ubuntu Release | Package Version | ||
---|---|---|---|
13.10 saucy | sudo – 1.8.6p3-0ubuntu3.1 | ||
sudo-ldap – 1.8.6p3-0ubuntu3.1 | |||
12.10 quantal | sudo – 1.8.5p2-1ubuntu1.2 | ||
sudo-ldap – 1.8.5p2-1ubuntu1.2 | |||
12.04 precise | sudo – 1.8.3p1-1ubuntu3.6 | ||
sudo-ldap – 1.8.3p1-1ubuntu3.6 | |||
10.04 lucid | sudo – 1.7.2p1-1ubuntu5.7 | ||
sudo-ldap – 1.7.2p1-1ubuntu5.7 |
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.