[v3.0] sudo: TZ issue (CVE-2014-9680)
Prior to sudo 1.8.12, the TZ environment variable was passed through unchecked. Most libc tzset() implementations support passing an absolute pathname in the time zone to point to an arbitrary, user-controlled file. This may be used to exploit bugs in the C library’s TZ parser or open files the user would not otherwise have access to. Arbitrary file access via TZ could also be used in a denial of service attack by reading from a file or fifo that will block.
Affected: versions prior to 1.8.12.
References:
http://seclists.org/oss-sec/2015/q1/486
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772707
CONFIRM: http://www.sudo.ws/alerts/tz.html
(from redmine: issue id 3989, created on 2015-03-16, closed on 2015-03-17)
- Relations:
- parent #3986 (closed)
- Changesets:
- Revision cc515231 by Natanael Copa on 2015-03-17T09:18:22Z:
main/sudo: security upgrade to 1.8.12 (CVE-2014-9680)
ref #3986
fixes #3989