Gentoo Archives: gentoo-announce

From: Mikle Kolyada <zlogene@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 201504-02 ] sudo: Information disclosure
Date: Sat, 11 Apr 2015 14:59:17
Message-Id: 552935D2.2070700@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201504-02
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: sudo: Information disclosure
9 Date: April 11, 2015
10 Bugs: #539532
11 ID: 201504-02
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A vulnerability in sudo could allow a local attacker to read arbitrary
19 files or bypass security restrictions.
20
21 Background
22 ==========
23
24 sudo allows a system administrator to give users the ability to run
25 commands as other users. Access to commands may also be granted on a
26 range to hosts.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 app-admin/sudo < 1.8.12 >= 1.8.12
35
36 Description
37 ===========
38
39 sudo does not handle the TZ environment variable properly.
40
41 Impact
42 ======
43
44 A local attacker may be able to read arbitrary files or information
45 from device special files.
46
47 Workaround
48 ==========
49
50 There is no known workaround at this time.
51
52 Resolution
53 ==========
54
55 All sudo users should upgrade to the latest version:
56
57 # emerge --sync
58 # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.8.12"
59
60 References
61 ==========
62
63 [ 1 ] CVE-2014-9680
64 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9680
65
66 Availability
67 ============
68
69 This GLSA and any updates to it are available for viewing at
70 the Gentoo Security Website:
71
72 https://security.gentoo.org/glsa/201504-02
73
74 Concerns?
75 =========
76
77 Security is a primary focus of Gentoo Linux and ensuring the
78 confidentiality and security of our users' machines is of utmost
79 importance to us. Any security concerns should be addressed to
80 security@g.o or alternatively, you may file a bug at
81 https://bugs.gentoo.org.
82
83 License
84 =======
85
86 Copyright 2015 Gentoo Foundation, Inc; referenced text
87 belongs to its owner(s).
88
89 The contents of this document are licensed under the
90 Creative Commons - Attribution / Share Alike license.
91
92 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature