CVE-2014-9680

Publication date 31 December 2014

Last updated 25 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

sudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file, which allows local users to open arbitrary files for read access (but not view file contents) by running a program within an sudo session, as demonstrated by interfering with terminal output, discarding kernel-log messages, or repositioning tape drives.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
sudo	14.10 utopic	Fixed 1.8.9p5-1ubuntu2.1
	14.04 LTS trusty	Fixed 1.8.9p5-1ubuntu1.1
	12.04 LTS precise	Fixed 1.8.3p1-1ubuntu3.7
	10.04 LTS lucid	Fixed 1.7.2p1-1ubuntu5.8

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
sudo	Upstream: http://www.sudo.ws/repos/sudo/rev/650ac6938b59 Upstream: http://www.sudo.ws/repos/sudo/rev/ac1467f71ac0 Upstream: http://www.sudo.ws/repos/sudo/rev/91859f613b88 Upstream: http://www.sudo.ws/repos/sudo/rev/579b02f0dbe0 Upstream: http://www.sudo.ws/repos/sudo/rev/33b545d19c03

Severity score breakdown

Parameter	Value
Base score	3.3 · Low
Attack vector	Local
Attack complexity	Low
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	Low
Integrity impact	None
Availability impact	None
Vector	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

Related Ubuntu Security Notices (USN)

USN-2533-1
Sudo vulnerability
16 March 2015