CVE-2014-0106

Name	CVE-2014-0106
Description	Sudo 1.6.9 before 1.8.5, when env_reset is disabled, does not properly check environment variables for the env_delete restriction, which allows local users with sudo permissions to bypass intended command restrictions via a crafted environment variable.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
References	DLA-160-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
sudo (PTS)	buster	1.8.27-1+deb10u3	fixed
	buster (security)	1.8.27-1+deb10u5	fixed
	bullseye (security), bullseye	1.9.5p2-3+deb11u1	fixed
	bookworm, sid	1.9.13p3-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
sudo	source	squeeze	1.7.4p4-2.squeeze.5		DLA-160-1
sudo	source	(unstable)	1.8.5p2-1	low

Notes

[squeeze] - sudo <no-dsa> (environment sanitising is enabled by default and turning it off in insecure anyway)
http://www.sudo.ws/sudo/alerts/env_add.html