Bug 34270 - sudo: Insufficient environment sanitising (ES 3.1)
sudo: Insufficient environment sanitising (ES 3.1)
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.1
Other Linux
: P4 normal (vote)
: UCS 3.1-ES
Assigned To: Arvid Requate
Janek Walkenhorst
Depends on:
  Show dependency treegraph
Reported: 2014-03-06 10:21 CET by Moritz Muehlenhoff
Modified: 2015-05-04 17:06 CEST (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Advisory (1.62 KB, text/plain)
2015-04-08 21:07 CEST, Arvid Requate

Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Muehlenhoff univentionstaff 2014-03-06 10:21:40 CET

By default sudo sanitises the environment: All environment variables are reset with the exception of a few harmless ones (e.g. PATH, USER etc). This prevents privilege escalation attacks e.g. with programs using dynamic load paths.
This is the default in UCS.

However, if the sanitising feature is turned off and environment variables are passed on the command line, they are not treated by the env_check and env_delete options.

This has low priority, since disabling the sanitising is insecure itself.
Comment 1 Moritz Muehlenhoff univentionstaff 2014-06-02 07:59:17 CEST
The maintenance with bug and security fixes for UCS 3.1-x has ended on 31st of May 2014.

The maintenance of the UCS 3.x major series is continued by UCS 3.2-x that is supplied with bug and security fixes.

Customers still on UCS 3.1-x are encouraged to update to UCS 3.2. Please contact your partner or Univention for any questions.
Comment 2 Arvid Requate univentionstaff 2015-04-07 15:22:32 CEST
There is a similar issue which is exploitable by local users only:

CVE-2014-9680: Arbitrary file access via user defined TZ environment variable

According to the policy for 3.1 Extended Security a fix is not mandatory.
Comment 3 Arvid Requate univentionstaff 2015-04-08 21:07:32 CEST
Created attachment 6811 [details]

Upstream package version 1.7.4p4-2.squeeze.5 imported and built in extsec3.1.
Comment 4 Janek Walkenhorst univentionstaff 2015-05-03 20:25:56 CEST
Tests (amd64): OK
Advisory: OK
Changelog: OK
Comment 5 Janek Walkenhorst univentionstaff 2015-05-04 17:06:05 CEST