CVE-2014-9680
Published: 31 December 2014
sudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file, which allows local users to open arbitrary files for read access (but not view file contents) by running a program within an sudo session, as demonstrated by interfering with terminal output, discarding kernel-log messages, or repositioning tape drives.
Priority
Status
Package | Release | Status |
---|---|---|
sudo Launchpad, Ubuntu, Debian |
lucid |
Released
(1.7.2p1-1ubuntu5.8)
|
precise |
Released
(1.8.3p1-1ubuntu3.7)
|
|
trusty |
Released
(1.8.9p5-1ubuntu1.1)
|
|
upstream |
Released
(1.7.10p9, 1.8.12)
|
|
utopic |
Released
(1.8.9p5-1ubuntu2.1)
|
|
Patches: upstream: http://www.sudo.ws/repos/sudo/rev/650ac6938b59 upstream: http://www.sudo.ws/repos/sudo/rev/ac1467f71ac0 upstream: http://www.sudo.ws/repos/sudo/rev/91859f613b88 upstream: http://www.sudo.ws/repos/sudo/rev/579b02f0dbe0 upstream: http://www.sudo.ws/repos/sudo/rev/33b545d19c03 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 3.3 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | Low |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |