CVE-2010-1646

NameCVE-2010-1646
DescriptionThe secure path feature in env.c in sudo 1.3.1 through 1.6.9p22 and 1.7.0 through 1.7.2p6 does not properly handle an environment that contains multiple PATH variables, which might allow local users to gain privileges via a crafted value of the last PATH variable.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, web search, more)
ReferencesDSA-2062-1
NVD severitymedium (attack range: local)
Debian Bugs585394
Debian/oldoldstablenot vulnerable.
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sudo (PTS)squeeze, squeeze (security)1.7.4p4-2.squeeze.4fixed
squeeze (lts)1.7.4p4-2.squeeze.6fixed
wheezy1.8.5p2-1+nmu3fixed
wheezy (security)1.8.5p2-1+nmu3+deb7u1fixed
jessie (security), jessie1.8.10p3-1+deb8u3fixed
stretch, sid1.8.15-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sudosource(unstable)1.7.2p7-1medium585394
sudosourcelenny1.6.9p17-3mediumDSA-2062-1

Search for package or bug name: Reporting problems