USN-2579-1: autofs vulnerability
27 April 2015
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.10
autofs could be made to run programs as an administrator if program maps were configured.
- autofs - kernel-based automounter for Linux
It was discovered that autofs incorrectly filtered environment variables when using program maps. When program maps were configured, a local user could use this issue to escalate privileges.
This update changes the default behaviour by adding a prefix to environment variables. Sites using program maps will need to adapt to the new variable names, or revert to the previous names by using a new configuration option called FORCE_STANDARD_PROGRAM_MAP_ENV.
The problem can be corrected by updating your system to the following package versions:
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to reboot your computer to make all the necessary changes.