Circumvention of sudo's secure path option
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sudo (Ubuntu) |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
Dapper |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
Hardy |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
Jaunty |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
Karmic |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
Lucid |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
Maverick |
Fix Released
|
Undecided
|
Jamie Strandboge |
Bug Description
Binary package hint: sudo
From sudo upstream:
Most versions of the C library function getenv() return the first instance of an environment variable to the caller. However, some programs, notably the GNU Bourne Again SHell (bash), do their own environment parsing and may choose the last instance of a variable rather than the first one.
An attacker may manipulate the environment of the process that executes Sudo such that a second PATH variable is present. When Sudo runs a bash script, it is this second PATH variable that is used by bash, regardless of whether or not Sudo has overwritten the first instance of PATH. This may allow an attacker to subvert the program being run under Sudo and execute commands he/she would not otherwise be allowed to run.
Patches available at http://
visibility: | private → public |
Changed in sudo (Ubuntu): | |
status: | New → Confirmed |
Changed in sudo (Ubuntu Maverick): | |
status: | Triaged → Fix Committed |
Dapper - Lucid were fixed in http:// www.ubuntu. com/usn/ usn-956- 1.
Maverick will be fixed after Alpha 2 is released.