{"id":"CVE-2014-9680","details":"sudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file, which allows local users to open arbitrary files for read access (but not view file contents) by running a program within an sudo session, as demonstrated by interfering with terminal output, discarding kernel-log messages, or repositioning tape drives.","modified":"2026-04-16T06:22:16.790693864Z","published":"2017-04-24T06:59:00Z","related":["SUSE-SU-2015:0985-1","SUSE-SU-2016:2904-1","openSUSE-SU-2024:11413-1"],"references":[{"type":"ADVISORY","url":"http://openwall.com/lists/oss-security/2014/10/15/24"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2015-1409.html"},{"type":"ADVISORY","url":"http://www.sudo.ws/alerts/tz.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201504-02"},{"type":"ARTICLE","url":"http://openwall.com/lists/oss-security/2014/10/15/24"},{"type":"EVIDENCE","url":"http://openwall.com/lists/oss-security/2014/10/15/24"},{"type":"WEB","url":"http://www.securitytracker.com/id/1033158"}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}]}