Bug 63233 (CVE-2004-1051)

Summary: VUL-0: CVE-2004-1051: sudo is passing environment variables, which might lead to priv escalation
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Ruediger Oertel <ro>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-1051: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2004-11-15 18:25:47 UTC 
sudo in its current configuration passes several environment variables 
down to the root process, which might be used to get a unwanted privilege 
escalation. 
 
especially the environment variables "IFS" and "PATH" are merged over to 
the called process/script. 
 
with specially set paths or ifs a user privileged to only run script "foo"  
could run other scripts as root. 
 
 
This is more of a design issue within sudo and known for some time, so  
I am not sure whether we should really change this via a security update. 
 
However, please change to this behaviour in STABLE.
Comment 1 Marcus Meissner 2004-11-15 18:25:48 UTC 
<!-- SBZ_reproduce  -->
n/a
Comment 2 Marcus Meissner 2004-11-15 18:27:18 UTC 
also problematic: exported shell functions with names of common binaries.
Comment 3 Marcus Meissner 2004-11-18 18:45:45 UTC 
just for reference.  
======================================================                           
Candidate: CAN-2004-1051                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1051                 
Reference: CONFIRM:http://www.sudo.ws/sudo/alerts/bash_functions.html            
Reference: BUGTRAQ:20041112 Sudo version 1.6.8p2 now available (fwd)             
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110028877431192&w=2     
                                                                                 
sudo before 1.6.8p2 allows local users to execute arbitrary commands             
by using "()" style environment variables to create functions that are           
executed instead of any program within the bash script that do not               
have full pathnames.
Comment 4 Thomas Biege 2004-11-25 17:10:17 UTC 
Marian, 
do you need more informations to handle the bug?
Comment 5 Thomas Biege 2004-11-25 18:09:42 UTC 
... sorry. missed it's a stable-only fix.
Comment 6 Marian Jancar 2004-12-02 19:57:00 UTC 
will fix for 9.3
Comment 7 Marcus Meissner 2005-02-28 14:34:14 UTC 
it is 9.3 time ... 
 
rudi is working on it I think
Comment 8 Marcus Meissner 2005-02-28 14:34:48 UTC 
reassign to Rudi who is working on it.
Comment 9 Ruediger Oertel 2005-02-28 17:55:08 UTC 
STABLE has 1.6.8p7 now, please reopen if any further action needed.
Comment 10 Thomas Biege 2009-10-13 19:59:45 UTC 
CVE-2004-1051: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)