Bugzilla – Bug 917806
VUL-1: CVE-2014-9680: sudo: unsafe handling of TZ environment variable
Last modified: 2019-05-01 16:53:25 UTC
rh#1191144 Prior to sudo 1.8.12, the TZ environment variable was passed through unchecked. Most libc tzset() implementations support passing an absolute pathname in the time zone to point to an arbitrary, user-controlled file. This may be used to exploit bugs in the C library's TZ parser or open files the user would not otherwise have access to. Arbitrary file access via TZ could also be used in a denial of service attack by reading from a file or fifo that will block. ===== I see this more as a hardening measure, so we will treat this as VUL-1. Discussion of the issue: http://www.openwall.com/lists/oss-security/2014/10/15/24 References: https://bugzilla.redhat.com/show_bug.cgi?id=1192237 https://bugzilla.redhat.com/show_bug.cgi?id=1191144 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9680 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9680.html
bugbot adjusting priority
fixed and released
SUSE-SU-2015:0985-1: An update that solves one vulnerability and has three fixes is now available. Category: security (moderate) Bug References: 880764,901145,904694,917806 CVE References: CVE-2014-9680 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): sudo-1.7.6p2-0.23.1 SUSE Linux Enterprise Server 11 SP3 (src): sudo-1.7.6p2-0.23.1 SUSE Linux Enterprise Desktop 11 SP3 (src): sudo-1.7.6p2-0.23.1
closed prematurely. openSUSE 13.2 affected. openSUSE 13.1 affected.
SLE 12 affected, to be added to the next scheduled update.
Created attachment 652609 [details] patch SLE12, openSUSE 13.1 and openSUSE 13.2 Attaching a patch that suits for sudo 1.8.10p3 (SLE12, openSUSE 13.1 and openSUSE 13.2) It's an adjusted patch based on upstream patches for default branch [1] and 1.7 branch [2] [1] http://www.sudo.ws/repos/sudo/rev/650ac6938b59 [2] http://www.sudo.ws/repos/sudo/rev/33b545d19c03
This is an autogenerated message for OBS integration: This bug (917806) was mentioned in https://build.opensuse.org/request/show/340285 13.2+13.1 / sudo
Submissions overview: | Product | Affected | Version | Request | |---------------|----------|----------|----------------| | SLE11SP3 | yes | 1.7.6 | 57622 (vcizek) | | SLE12 | yes | 1.8.10p3 | waiting | | openSUSE 13.1 | yes | 1.8.10p3 | 340285 | | openSUSE 13.2 | yes | 1.8.10p3 | 340285 | | openSUSE Leap | yes | 1.8.10p3 | 340570 | | devel/Factory | no | 1.8.14p3 | --- | It's tracked on the list of the planned updates for SLE12. Reassigning to the security team for now.
This is an autogenerated message for OBS integration: This bug (917806) was mentioned in https://build.opensuse.org/request/show/340570 Leap:42.1 / sudo
openSUSE-SU-2015:1849-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 917806 CVE References: CVE-2014-9680 Sources used: openSUSE Leap 42.1 (src): sudo-1.8.10p3-5.1
openSUSE-SU-2015:1913-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 917806 CVE References: CVE-2014-9680 Sources used: openSUSE 13.2 (src): sudo-1.8.10p3-2.7.1 openSUSE 13.1 (src): sudo-1.8.10p3-5.16.1
Submitted to - SLE-11:Update - SLE-12:Update ----- Final submission overview: | Product | Affected | Version | Request | |---------------|----------|----------|-----------------| | SLE11 | yes | 1.7.6 | #84306 | | SLE11SP3 | yes | 1.7.6 | #57622 (vcizek) | | SLE12 | yes | 1.8.10p3 | #84302 | | openSUSE 13.1 | yes | 1.8.10p3 | #340285 | | openSUSE 13.2 | yes | 1.8.10p3 | #340285 | | openSUSE Leap | yes | 1.8.10p3 | #340570 | | devel/Factory | no | 1.8.14p3 | --- |
Submitted for SLE10SP3 by request #123916
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2016-11-29. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63198
SUSE-SU-2016:2904-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1007501,1007766,899252,917806,979531 CVE References: CVE-2014-9680,CVE-2016-7032,CVE-2016-7076 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): sudo-1.8.10p3-2.6.1 SUSE Linux Enterprise Server 12-SP1 (src): sudo-1.8.10p3-2.6.1 SUSE Linux Enterprise Desktop 12-SP1 (src): sudo-1.8.10p3-2.6.1
openSUSE-SU-2016:3004-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1007501,1007766,899252,917806,979531 CVE References: CVE-2014-9680,CVE-2016-7032,CVE-2016-7076 Sources used: openSUSE Leap 42.1 (src): sudo-1.8.10p3-8.1
released