FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2005-2959

This CVE name corresponds to:

Entered Topic
2006-02-16 sudo -- arbitrary command execution

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2005-2959 at cve.mitre.org

Details

Type Candidate
Name CVE-2005-2959
Phase Assigned(20050919)

Description

Incomplete blacklist vulnerability in sudo 1.6.8 and earlier allows local users to gain privileges via the (1) SHELLOPTS and (2) PS4 environment variables before executing a bash script on behalf of another user, which are not cleared even though other variables are.

References

Source Reference
CONFIRM http://www.sudo.ws/bugs/show_bug.cgi?id=182
CONFIRM http://docs.info.apple.com/article.html?artnum=305214
APPLE APPLE-SA-2007-03-13
DEBIAN DSA-870
MANDRIVA MDKSA-2005:201
OPENPKG OpenPKG-SA-2006.002
SUSE SUSE-SR:2005:025
SUSE SUSE-SR:2006:002
UBUNTU USN-213-1
CERT TA07-072A
BID 15191
VUPEN ADV-2007-0930
SECUNIA 17390
SECUNIA 17318
SECUNIA 17322
SECUNIA 17345
SECUNIA 17666
SECUNIA 18549
SECUNIA 24479

Copyright © 2005 The MITRE Corporation.

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.