Alerts This Week
Warning Icon 1 1,154
Alerts This Week
Warning Icon 1 1,154

Debian 3.1 DSA 946-2 Critical: Sudo Privilege Escalation

debian
Calendar Grey April 8, 2006
Debian Logo
Ubuntu releases patch for sudo vulnerability to prevent exploitation via meticulous input validation; see the bulletin for comprehensive information.
Updated package.

Summary


For completeness please find below the original advisory text:

It has been discovered that sudo, a privileged program, that
provides limited super user privileges to specific users, passes
several environment variables to the program that runs with
elevated privileges. In the case of include paths (e.g. for Perl,
Python, Ruby or other scripting languages) this can cause arbitrary
code to be executed as privileged user if the attacker points to a
manipulated version of a system library.

This update alters the former behaviour of sudo and limits the
number of supported environment variables to LC_*, LANG, LANGUAGE
and TERM. Additional variables are only passed through when set as
env_check in /etc/sudoers, which might be required for some scripts
to continue to work.

For the old stable distribution (woody) this problem has been fixed in
version 1.6.6-1.6.

For the stable distribution (sarge) this problem has been fixed in
version 1.6.8p7-1.4.

...

Read the Full Advisory

Severity
critical
Lowest
Low
Medium
High
Critical

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here