FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2010-1646

This CVE name corresponds to:

Entered Topic
2010-06-02 sudo -- Secure path vulnerability

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

Details

Type Candidate
Name CVE-2010-1646
Phase Assigned(20100429)

Description

The secure path feature in env.c in sudo 1.3.1 through 1.6.9p22 and 1.7.0 through 1.7.2p6 does not properly handle an environment that contains multiple PATH variables, which might allow local users to gain privileges via a crafted value of the last PATH variable.

References

Source Reference
BUGTRAQ 20101027 rPSA-2010-0075-1 sudo
CONFIRM http://www.sudo.ws/repos/sudo/rev/3057fde43cf0
CONFIRM http://www.sudo.ws/repos/sudo/rev/a09c6812eaec
CONFIRM http://www.sudo.ws/sudo/alerts/secure_path.html
CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=598154
CONFIRM http://wiki.rpath.com/Advisories:rPSA-2010-0075
DEBIAN DSA-2062
FEDORA FEDORA-2010-9402
FEDORA FEDORA-2010-9415
FEDORA FEDORA-2010-9417
GENTOO GLSA-201009-03
MANDRIVA MDVSA-2010:118
REDHAT RHSA-2010:0475
SUSE SUSE-SR:2011:002
BID 40538
OSVDB 65083
OVAL oval:org.mitre.oval:def:10580
OVAL oval:org.mitre.oval:def:7338
SECTRACK 1024101
SECUNIA 40002
SECUNIA 40188
SECUNIA 40215
SECUNIA 40508
SECUNIA 43068
VUPEN ADV-2010-1452
VUPEN ADV-2010-1518
VUPEN ADV-2010-1519
VUPEN ADV-2010-1478
VUPEN ADV-2011-0212