CVE-2014-9680

NameCVE-2014-9680
Descriptionsudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file, which allows local users to open arbitrary files for read access (but not view file contents) by running a program within an sudo session, as demonstrated by interfering with terminal output, discarding kernel-log messages, or repositioning tape drives.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-160-1, DSA-3167-1
Debian Bugs772707

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sudo (PTS)buster1.8.27-1+deb10u3fixed
buster (security)1.8.27-1+deb10u6fixed
bullseye (security), bullseye1.9.5p2-3+deb11u1fixed
bookworm1.9.13p3-1+deb12u1fixed
sid, trixie1.9.15p5-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sudosourcesqueeze1.7.4p4-2.squeeze.5DLA-160-1
sudosourcewheezy1.8.5p2-1+nmu2DSA-3167-1
sudosourcejessie1.8.10p3-1+deb8u2
sudosource(unstable)1.8.12-1772707

Notes

https://www.openwall.com/lists/oss-security/2014/10/15/24
http://www.sudo.ws/repos/sudo/rev/650ac6938b59 (1.8.x)
http://www.sudo.ws/repos/sudo/rev/ac1467f71ac0 (typos)
http://www.sudo.ws/repos/sudo/rev/91859f613b88 (description)
http://www.sudo.ws/repos/sudo/rev/579b02f0dbe0 (improved description)
https://www.openwall.com/lists/oss-security/2015/02/09/12
Search for package or bug name: Reporting problems