1. Ubuntu Security Notices
  2. USN-956-1

USN-956-1: sudo vulnerability

Publication date

30 June 2010

Overview

Under certain conditions, a user might be able to run commands with administrative privileges.

Releases

Packages

  • sudo - Provide limited super user privileges to specific users

Details

Evan Broder and Anders Kaseorg discovered that sudo did not properly
sanitize its environment when configured to use secure_path (the default in
Ubuntu). A local attacker could exploit this to execute arbitrary code as
root if sudo was configured to allow the attacker to use a program that
interpreted the PATH environment variable.

Evan Broder and Anders Kaseorg discovered that sudo did not properly
sanitize its environment when configured to use secure_path (the default in
Ubuntu). A local attacker could exploit this to execute arbitrary code as
root if sudo was configured to allow the attacker to use a program that
interpreted the PATH environment variable.

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
9.10 karmic sudo-ldap –  1.7.0-1ubuntu2.4
sudo –  1.7.0-1ubuntu2.4
9.04 jaunty sudo-ldap –  1.6.9p17-1ubuntu3.3
sudo –  1.6.9p17-1ubuntu3.3
8.04 hardy sudo-ldap –  1.6.9p10-1ubuntu3.8
sudo –  1.6.9p10-1ubuntu3.8
6.06 dapper sudo-ldap –  1.6.8p12-1ubuntu6.3
sudo –  1.6.8p12-1ubuntu6.3
10.04 lucid sudo-ldap –  1.7.2p1-1ubuntu5.1
sudo –  1.7.2p1-1ubuntu5.1

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›