sudo: Information disclosure — GLSA 201504-02

A vulnerability in sudo could allow a local attacker to read arbitrary files or bypass security restrictions.

Affected packages

app-admin/sudo on all architectures
Affected versions < 1.8.12
Unaffected versions >= 1.8.12

Background

sudo allows a system administrator to give users the ability to run commands as other users. Access to commands may also be granted on a range to hosts.

Description

sudo does not handle the TZ environment variable properly.

Impact

A local attacker may be able to read arbitrary files or information from device special files.

Workaround

There is no known workaround at this time.

Resolution

All sudo users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.8.12"
 

References

Release date
April 11, 2015

Latest revision
April 11, 2015: 1

Severity
normal

Exploitable
local

Bugzilla entries