CVE-2014-0106

NameCVE-2014-0106
DescriptionSudo 1.6.9 before 1.8.5, when env_reset is disabled, does not properly check environment variables for the env_delete restriction, which allows local users with sudo permissions to bypass intended command restrictions via a crafted environment variable.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-160-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sudo (PTS)bullseye1.9.5p2-3+deb11u1fixed
bullseye (security)1.9.5p2-3+deb11u2fixed
bookworm, bookworm (security)1.9.13p3-1+deb12u2fixed
trixie1.9.16p2-3fixed
forky, sid1.9.17p2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sudosourcesqueeze1.7.4p4-2.squeeze.5DLA-160-1
sudosource(unstable)1.8.5p2-1low

Notes

[squeeze] - sudo <no-dsa> (environment sanitising is enabled by default and turning it off in insecure anyway)
http://www.sudo.ws/sudo/alerts/env_add.html
Search for package or bug name: Reporting problems