Bug 917806 - (CVE-2014-9680) VUL-1: CVE-2014-9680: sudo: unsafe handling of TZ environment variable
(CVE-2014-9680)
VUL-1: CVE-2014-9680: sudo: unsafe handling of TZ environment variable
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/113847/
maint:released:sle11-sp3:61749 CVSSv2...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-02-13 12:30 UTC by Johannes Segitz
Modified: 2019-05-01 16:53 UTC (History)
8 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
patch SLE12, openSUSE 13.1 and openSUSE 13.2 (2.69 KB, patch)
2015-10-21 14:02 UTC, Kristyna Streitova
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2015-02-13 12:30:36 UTC
rh#1191144

Prior to sudo 1.8.12, the TZ environment variable was passed through
unchecked.  Most libc tzset() implementations support passing an
absolute pathname in the time zone to point to an arbitrary,
user-controlled file.  This may be used to exploit bugs in the C
library's TZ parser or open files the user would not otherwise have
access to.  Arbitrary file access via TZ could also be used in a
denial of service attack by reading from a file or fifo that will
block.

=====

I see this more as a hardening measure, so we will treat this as VUL-1. Discussion of the issue: http://www.openwall.com/lists/oss-security/2014/10/15/24

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1192237
https://bugzilla.redhat.com/show_bug.cgi?id=1191144
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9680
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9680.html
Comment 1 Swamp Workflow Management 2015-02-13 23:00:43 UTC
bugbot adjusting priority
Comment 4 Victor Pereira 2015-06-02 08:18:48 UTC
fixed and released
Comment 5 Swamp Workflow Management 2015-06-02 10:05:39 UTC
SUSE-SU-2015:0985-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (moderate)
Bug References: 880764,901145,904694,917806
CVE References: CVE-2014-9680
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    sudo-1.7.6p2-0.23.1
SUSE Linux Enterprise Server 11 SP3 (src):    sudo-1.7.6p2-0.23.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    sudo-1.7.6p2-0.23.1
Comment 7 Andreas Stieger 2015-07-10 13:40:45 UTC
closed prematurely.
openSUSE 13.2 affected.
openSUSE 13.1 affected.
Comment 9 Andreas Stieger 2015-07-10 13:42:40 UTC
SLE 12 affected, to be added to the next scheduled update.
Comment 10 Kristyna Streitova 2015-10-21 14:02:49 UTC
Created attachment 652609 [details]
patch SLE12, openSUSE 13.1 and openSUSE 13.2

Attaching a patch that suits for sudo 1.8.10p3 (SLE12, openSUSE 13.1 and openSUSE 13.2)

It's an adjusted patch based on upstream patches for default branch [1] and 1.7 branch [2]

[1] http://www.sudo.ws/repos/sudo/rev/650ac6938b59
[2] http://www.sudo.ws/repos/sudo/rev/33b545d19c03
Comment 11 Bernhard Wiedemann 2015-10-21 15:00:11 UTC
This is an autogenerated message for OBS integration:
This bug (917806) was mentioned in
https://build.opensuse.org/request/show/340285 13.2+13.1 / sudo
Comment 12 Kristyna Streitova 2015-10-23 09:36:01 UTC
Submissions overview:

|    Product    | Affected | Version  |    Request     |
|---------------|----------|----------|----------------|
| SLE11SP3      | yes      | 1.7.6    | 57622 (vcizek) |
| SLE12         | yes      | 1.8.10p3 | waiting        |
| openSUSE 13.1 | yes      | 1.8.10p3 | 340285         |
| openSUSE 13.2 | yes      | 1.8.10p3 | 340285         |
| openSUSE Leap | yes      | 1.8.10p3 | 340570         |
| devel/Factory | no       | 1.8.14p3 | ---            |


It's tracked on the list of the planned updates for SLE12. Reassigning to the security team for now.
Comment 13 Bernhard Wiedemann 2015-10-23 10:00:09 UTC
This is an autogenerated message for OBS integration:
This bug (917806) was mentioned in
https://build.opensuse.org/request/show/340570 Leap:42.1 / sudo
Comment 14 Swamp Workflow Management 2015-10-30 13:11:44 UTC
openSUSE-SU-2015:1849-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 917806
CVE References: CVE-2014-9680
Sources used:
openSUSE Leap 42.1 (src):    sudo-1.8.10p3-5.1
Comment 15 Swamp Workflow Management 2015-11-04 16:18:13 UTC
openSUSE-SU-2015:1913-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 917806
CVE References: CVE-2014-9680
Sources used:
openSUSE 13.2 (src):    sudo-1.8.10p3-2.7.1
openSUSE 13.1 (src):    sudo-1.8.10p3-5.16.1
Comment 16 Kristyna Streitova 2015-12-03 13:36:35 UTC
Submitted to 
- SLE-11:Update
- SLE-12:Update

-----

Final submission overview:


|    Product    | Affected | Version  |    Request      |
|---------------|----------|----------|-----------------|
| SLE11         | yes      | 1.7.6    | #84306          |
| SLE11SP3      | yes      | 1.7.6    | #57622 (vcizek) |
| SLE12         | yes      | 1.8.10p3 | #84302          |
| openSUSE 13.1 | yes      | 1.8.10p3 | #340285         |
| openSUSE 13.2 | yes      | 1.8.10p3 | #340285         |
| openSUSE Leap | yes      | 1.8.10p3 | #340570         |
| devel/Factory | no       | 1.8.14p3 | ---             |
Comment 19 Kristyna Streitova 2016-11-13 20:28:15 UTC
Submitted for SLE10SP3 by request #123916
Comment 21 Swamp Workflow Management 2016-11-15 12:51:46 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-11-29.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63198
Comment 22 Swamp Workflow Management 2016-11-24 17:15:20 UTC
SUSE-SU-2016:2904-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1007501,1007766,899252,917806,979531
CVE References: CVE-2014-9680,CVE-2016-7032,CVE-2016-7076
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    sudo-1.8.10p3-2.6.1
SUSE Linux Enterprise Server 12-SP1 (src):    sudo-1.8.10p3-2.6.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    sudo-1.8.10p3-2.6.1
Comment 23 Swamp Workflow Management 2016-12-05 12:09:58 UTC
openSUSE-SU-2016:3004-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1007501,1007766,899252,917806,979531
CVE References: CVE-2014-9680,CVE-2016-7032,CVE-2016-7076
Sources used:
openSUSE Leap 42.1 (src):    sudo-1.8.10p3-8.1
Comment 24 Marcus Meissner 2016-12-18 19:47:47 UTC
released