Package: sudo
Version: 1.8.11p2-1
Tags: security
By default, sudo preserves the TZ variable[1] from user's environment,
without any sanitization. This is a bad idea on glibc systems, where you
can set TZ to an arbitrary file, which will then be read by tzset(3):
$ TZ=$PWD/tz sudo -u root strace -e read date +
read(3,
"\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\233\1\0004\0\0\0"..., 512)
= 512
read(3, "moo\n", 4096) = 4
read(3, "", 4096) = 0
+++ exited with 0 +++
This can be abused for denial of service (by pointing TZ to a named pipe
or a tape device that wouldn't be otherwise readable); or it could allow
exploiting tzfile parsing bugs (such as #772705).
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
