63233 – (CVE-2004-1051) VUL-0: CVE-2004-1051: sudo is passing environment variables, which might lead to priv escalation

Bug 63233 (CVE-2004-1051) - VUL-0: CVE-2004-1051: sudo is passing environment variables, which might lead to priv escalation

Summary: VUL-0: CVE-2004-1051: sudo is passing environment variables, which might lead...

Status:	RESOLVED FIXED

Alias:	CVE-2004-1051

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	All Linux

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Ruediger Oertel
QA Contact:	Security Team bot

URL:
Whiteboard:	CVE-2004-1051: CVSS v2 Base Score: 7....
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2004-11-15 18:25 UTC by Marcus Meissner
Modified:	2021-10-16 09:13 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Other
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2004-11-15 18:25:47 UTC

sudo in its current configuration passes several environment variables 
down to the root process, which might be used to get a unwanted privilege 
escalation. 
 
especially the environment variables "IFS" and "PATH" are merged over to 
the called process/script. 
 
with specially set paths or ifs a user privileged to only run script "foo"  
could run other scripts as root. 
 
 
This is more of a design issue within sudo and known for some time, so  
I am not sure whether we should really change this via a security update. 
 
However, please change to this behaviour in STABLE.

Comment 1 Marcus Meissner 2004-11-15 18:25:48 UTC

<!-- SBZ_reproduce  -->
n/a

Comment 2 Marcus Meissner 2004-11-15 18:27:18 UTC

also problematic: exported shell functions with names of common binaries.

Comment 3 Marcus Meissner 2004-11-18 18:45:45 UTC

just for reference.  
======================================================                           
Candidate: CAN-2004-1051                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1051                 
Reference: CONFIRM:http://www.sudo.ws/sudo/alerts/bash_functions.html            
Reference: BUGTRAQ:20041112 Sudo version 1.6.8p2 now available (fwd)             
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110028877431192&w=2     
                                                                                 
sudo before 1.6.8p2 allows local users to execute arbitrary commands             
by using "()" style environment variables to create functions that are           
executed instead of any program within the bash script that do not               
have full pathnames.

Comment 4 Thomas Biege 2004-11-25 17:10:17 UTC

Marian, 
do you need more informations to handle the bug?

Comment 5 Thomas Biege 2004-11-25 18:09:42 UTC

... sorry. missed it's a stable-only fix.

Comment 6 Marian Jancar 2004-12-02 19:57:00 UTC

will fix for 9.3

Comment 7 Marcus Meissner 2005-02-28 14:34:14 UTC

it is 9.3 time ... 
 
rudi is working on it I think

Comment 8 Marcus Meissner 2005-02-28 14:34:48 UTC

reassign to Rudi who is working on it.

Comment 9 Ruediger Oertel 2005-02-28 17:55:08 UTC

STABLE has 1.6.8p7 now, please reopen if any further action needed.

Comment 10 Thomas Biege 2009-10-13 19:59:45 UTC

CVE-2004-1051: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)