Debian DSA-3167-1 : sudo - security update

low Nessus Plugin ID 81426

Synopsis

The remote Debian host is missing a security-related update.

Description

Jakub Wilk reported that sudo, a program designed to provide limited super user privileges to specific users, preserves the TZ variable from a user's environment without any sanitization. A user with sudo access may take advantage of this to exploit bugs in the C library functions which parse the TZ environment variable or to open files that the user would not otherwise be able to open. The later could potentially cause changes in system behavior when reading certain device special files or cause the program run via sudo to block.

Solution

Upgrade the sudo packages.

For the stable distribution (wheezy), this problem has been fixed in version 1.8.5p2-1+nmu2.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772707

https://packages.debian.org/source/wheezy/sudo

https://www.debian.org/security/2015/dsa-3167

Plugin Details

Severity: Low

ID: 81426

File Name: debian_DSA-3167.nasl

Version: 1.7

Type: local

Agent: unix

Published: 2/23/2015

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.2

CVSS v2

Risk Factor: Low

Base Score: 2.1

Temporal Score: 1.8

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS v3

Risk Factor: Low

Base Score: 3.3

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:sudo, cpe:/o:debian:debian_linux:7.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 2/22/2015

Reference Information

CVE: CVE-2014-9680

BID: 72649

DSA: 3167