SB2013100202 - Information disclosure in sudo (Alpine package)
Published: October 2, 2013
Security Bulletin ID
SB2013100202
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Information disclosure (CVE-ID: CVE-2014-9680)
The vulnerability allows a local authenticated user to gain access to sensitive information.
sudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file, which allows local users to open arbitrary files for read access (but not view file contents) by running a program within an sudo session, as demonstrated by interfering with terminal output, discarding kernel-log messages, or repositioning tape drives.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=b1df3371d233b3c91a9e14e1ff2650f07e2d38d3
- https://git.alpinelinux.org/aports/commit/?id=484e6f932c3ce72e6de3242d9ac39bf3447056aa
- https://git.alpinelinux.org/aports/commit/?id=cc5152318c70bce1404f00830e652a389338da8b
- https://git.alpinelinux.org/aports/commit/?id=6a6fde0b6ddc9eb00d12e9b4a02294bdc2845053