oss-sec mailing list archives
Re: Re: CVE request: sudo TZ issue
From: Florian Weimer <fweimer () redhat com>
Date: Wed, 11 Feb 2015 10:14:32 +0100
On 02/11/2015 06:59 AM, cve-assign () mitre org wrote:
http://www.sudo.ws/alerts/tz.htmlWe are not sure why this is being interpreted as a vulnerability in sudo that should have a CVE assignment in which sudo is the responsible product. It appears that you are adding a new security feature in which sudo chooses to help prevent exploitation of bugs in a system library such as libc.
Changing environment variables is not compliant with the prevalent interpretation of of POSIX, and as a result, at least glibc will not change its behavior. This means that AT_SECURE programs such as sudo need to implement proper filtering. I will obtain clarification from the Austin Group that scrubbing environment variables in the implementation name space is allowed, and then we can revisit this matter as far as glibc is concerned. -- Florian Weimer / Red Hat Product Security
Current thread:
- CVE request: sudo TZ issue Todd C. Miller (Feb 09)
- <Possible follow-ups>
- Re: CVE request: sudo TZ issue Florian Weimer (Feb 10)
- Re: CVE request: sudo TZ issue Todd C. Miller (Feb 10)
- Re: CVE request: sudo TZ issue cve-assign (Feb 10)
- Re: Re: CVE request: sudo TZ issue Florian Weimer (Feb 11)
- Re: CVE request: sudo TZ issue cve-assign (Feb 12)
- Re: Re: CVE request: sudo TZ issue Todd C. Miller (Feb 11)
- Re: Re: CVE request: sudo TZ issue Rich Felker (Feb 12)
- Re: Re: CVE request: sudo TZ issue Simon McVittie (Feb 13)
- Re: Re: CVE request: sudo TZ issue Todd C. Miller (Feb 13)