Advisories » MGASA-2015-0079

Updated sudo packages fix CVE-2014-9680

Publication date: 19 Feb 2015
Modification date: 19 Feb 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-9680

Description

Updated sudo packages fix security vulnerability:

Prior to sudo 1.8.12, the TZ environment variable was passed through
unchecked. Most libc tzset() implementations support passing an absolute
pathname in the time zone to point to an arbitrary, user-controlled file. This
may be used to exploit bugs in the C library's TZ parser or open files the
user would not otherwise have access to. Arbitrary file access via TZ could
also be used in a denial of service attack by reading from a file or fifo that
will block (CVE-2014-9680).

The sudo package has been updated to version 1.8.12, fixing this issue and
several other bugs.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=15247
• http://www.sudo.ws/alerts/tz.html
• http://www.sudo.ws/sudo/stable.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9680

SRPMS

4/core

• sudo-1.8.12-1.mga4