VDB

MAGEIA-2015-79

MAGEIA-2015-79 PUBLISHED

Updated sudo packages fix security vulnerability: Prior to sudo 1.8.12, the TZ environment variable was passed through unchecked. Most libc tzset() implementations support passing an absolute pathname in the time zone to point to an arbitrary, user-controlled file. This may be used to exploit bugs in the C library's TZ parser or open files the user would not otherwise have access to. Arbitrary file access via TZ could also be used in a denial of service attack by reading from a file or fifo that will block (CVE-2014-9680). The sudo package has been updated to version 1.8.12, fixing this issue and several other bugs.

Affected Products

VendorProductVersions
Mageiastunnel0, 4.56-3.3.mga4
Mageiasudo0, 1.8.12-1.mga4, 0

Timeline

  • Feb 19, 2015 CVE Updated
  • Feb 19, 2015 CVE Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›