Bug 34271 - sudo: Insufficient environment sanitising (3.2)
sudo: Insufficient environment sanitising (3.2)
Status: CLOSED WORKSFORME
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.2
Other Linux
: P4 normal (vote)
: UCS 3.2-x-errata
Assigned To: Security maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-03-06 10:22 CET by Moritz Muehlenhoff
Modified: 2019-04-11 19:23 CEST (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Muehlenhoff univentionstaff 2014-03-06 10:22:02 CET
+++ This bug was initially created as a clone of Bug #34270 +++

CVe-2014-0106

By default sudo sanitises the environment: All environment variables are reset with the exception of a few harmless ones (e.g. PATH, USER etc). This prevents privilege escalation attacks e.g. with programs using dynamic load paths.
This is the default in UCS.

However, if the sanitising feature is turned off and environment variables are passed on the command line, they are not treated by the env_check and env_delete options.

This has low priority, since disabling the sanitising is insecure itself.
Comment 1 Moritz Muehlenhoff univentionstaff 2014-07-08 16:28:41 CEST
(In reply to Moritz Muehlenhoff from comment #0)
> +++ This bug was initially created as a clone of Bug #34270 +++
> 
> CVe-2014-0106
> 
> By default sudo sanitises the environment: All environment variables are
> reset with the exception of a few harmless ones (e.g. PATH, USER etc). This
> prevents privilege escalation attacks e.g. with programs using dynamic load
> paths.
> This is the default in UCS.
> 
> However, if the sanitising feature is turned off and environment variables
> are passed on the command line, they are not treated by the env_check and
> env_delete options.
> 
> This has low priority, since disabling the sanitising is insecure itself.

This won't be fixed in UCS 3.x due to low impact. The problem is fixed in the upcoming UCS 4.0 release.