{"id":"MGASA-2015-0079","summary":"Updated sudo packages fix CVE-2014-9680","details":"Updated sudo packages fix security vulnerability:\n\nPrior to sudo 1.8.12, the TZ environment variable was passed through\nunchecked. Most libc tzset() implementations support passing an absolute\npathname in the time zone to point to an arbitrary, user-controlled file. This\nmay be used to exploit bugs in the C library's TZ parser or open files the\nuser would not otherwise have access to. Arbitrary file access via TZ could\nalso be used in a denial of service attack by reading from a file or fifo that\nwill block (CVE-2014-9680).\n\nThe sudo package has been updated to version 1.8.12, fixing this issue and\nseveral other bugs.\n","modified":"2026-04-16T06:25:20.478226390Z","published":"2015-02-19T14:43:07Z","upstream":["CVE-2014-9680"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2015-0079.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=15247"},{"type":"WEB","url":"http://www.sudo.ws/alerts/tz.html"},{"type":"WEB","url":"http://www.sudo.ws/sudo/stable.html"}],"affected":[{"package":{"name":"sudo","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/sudo?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.8.12-1.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2015-0079.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}