USN-28-1: sudo vulnerability

18 November 2004

sudo vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 4.10

Software Description

Details

Liam Helmer discovered an input validation flaw in sudo. When the standard shell “bash” starts up, it searches the environment for variables with a value beginning with “()”. For each of these variables a function with the same name is created, with the function body filled in from the environment variable’s value.

A malicious user with sudo access to a shell script that uses bash can use this feature to substitute arbitrary commands for any non-fully-qualified programs called from the script. Therefore this flaw can lead to privilege escalation.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 4.10
sudo

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

References