CVE-2014-9680

Published: 31 December 2014

sudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file, which allows local users to open arbitrary files for read access (but not view file contents) by running a program within an sudo session, as demonstrated by interfering with terminal output, discarding kernel-log messages, or repositioning tape drives.

Priority

Cvss 3 Severity Score

3.3

Score breakdown

Status

Package	Release	Status
sudo Launchpad, Ubuntu, Debian	lucid	Released (1.7.2p1-1ubuntu5.8)
	precise	Released (1.8.3p1-1ubuntu3.7)
	trusty	Released (1.8.9p5-1ubuntu1.1)
	upstream	Released (1.7.10p9, 1.8.12)
	utopic	Released (1.8.9p5-1ubuntu2.1)
	Patches: upstream: http://www.sudo.ws/repos/sudo/rev/650ac6938b59 upstream: http://www.sudo.ws/repos/sudo/rev/ac1467f71ac0 upstream: http://www.sudo.ws/repos/sudo/rev/91859f613b88 upstream: http://www.sudo.ws/repos/sudo/rev/579b02f0dbe0 upstream: http://www.sudo.ws/repos/sudo/rev/33b545d19c03

Severity score breakdown

Parameter	Value
Base score	3.3
Attack vector	Local
Attack complexity	Low
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	Low
Integrity impact	None
Availability impact	None
Vector	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772707

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›