Bug 1071780 (CVE-2014-0106)
Summary: | CVE-2014-0106 sudo: certain environment variables not sanitized when env_reset is disabled | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | dkopecek, jkurik, jrusnack, security-response-team, vdanen |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | sudo 1.8.5 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-03-10 16:04:00 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1072210, 1072211 | ||
Bug Blocks: | 1071787 |
Description
Murray McAllister
2014-03-03 07:24:42 UTC
The "env_reset" option is enabled in the version of sudo as shipped with Red Hat Enterprise Linux 5, therefore this flaw does not affect the default configurations of the package. Statement: This issue did not affect the version of sudo package as shipped with Red Hat Enterprise Linux 6. This issue does not affect the version of sudo as shipped with Fedora 19 and Fedora 20. Public now: http://seclists.org/oss-sec/2014/q1/510 Upstream fix: http://www.sudo.ws/repos/sudo/rev/748cefb49422 External References: http://www.sudo.ws/sudo/alerts/env_add.html Note: This issue only has a security impact on configurations in which a user is permitted to run a limited number of commands with elevated privileges (for example, only commands to start/stop/restart a service). This issue has no impact on configurations in which users are permitted to run arbitrary commands with a target user's privileges. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2014:0266 https://rhn.redhat.com/errata/RHSA-2014-0266.html |