Upstream information

CVE-2014-0106 at MITRE

Description

Sudo 1.6.9 before 1.8.5, when env_reset is disabled, does not properly check environment variables for the env_delete restriction, which allows local users with sudo permissions to bypass intended command restrictions via a crafted environment variable.

SUSE information

CVSS v2 Scores
  National Vulnerability Database
Base Score 6.56
Vector AV:L/AC:M/Au:S/C:C/I:C/A:C
Access Vector Local
Access Complexity Medium
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
SUSE Bugzilla entries: 866503 [RESOLVED / FIXED], 961766

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Linux Enterprise Desktop 11 SP3
  • sudo >= 1.7.6p2-0.21.1
Patchnames:
sledsp3-sudo
SUSE Linux Enterprise Server 11 SP3
  • sudo >= 1.7.6p2-0.21.1
Patchnames:
slessp3-sudo
SUSE Linux Enterprise Server for VMWare 11 SP3
  • sudo >= 1.7.6p2-0.21.1
Patchnames:
slessp3-sudo
SUSE Linux Enterprise Desktop 11 SP3
SUSE Linux Enterprise Server 11 SP3
SUSE Linux Enterprise Server 11 SP3 for VMware
  • sudo >= 1.7.6p2-0.21.1
Builds
SAT Patch Nr: 9044
openSUSE Evergreen 11.4
  • sudo >= 1.7.6p2-0.23.1
  • sudo-debuginfo >= 1.7.6p2-0.23.1
  • sudo-debugsource >= 1.7.6p2-0.23.1
Patchnames:
2014-55