Mandriva Linux Security Advisory : sudo (MDVSA-2015:126)

High Nessus Plugin ID 82379

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 1.4

Synopsis

The remote Mandriva Linux host is missing one or more security updates.

Description

Updated sudo packages fix security vulnerability :

Prior to sudo 1.8.12, the TZ environment variable was passed through unchecked. Most libc tzset() implementations support passing an absolute pathname in the time zone to point to an arbitrary, user-controlled file. This may be used to exploit bugs in the C library's TZ parser or open files the user would not otherwise have access to. Arbitrary file access via TZ could also be used in a denial of service attack by reading from a file or fifo that will block (CVE-2014-9680).

The sudo package has been updated to version 1.8.12, fixing this issue and several other bugs.

Solution

Update the affected sudo and / or sudo-devel packages.

See Also

http://advisories.mageia.org/MGASA-2015-0079.html

Plugin Details

Severity: High

ID: 82379

File Name: mandriva_MDVSA-2015-126.nasl

Version: 1.4

Type: local

Published: 2015/03/30

Updated: 2021/01/14

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 1.4

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:sudo, p-cpe:/a:mandriva:linux:sudo-devel, cpe:/o:mandriva:business_server:2

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Patch Publication Date: 2015/03/29

Reference Information

CVE: CVE-2014-9680

MDVSA: 2015:126