=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2006/VULN484
_____________________________________________________________________

DATE                      : 05/09/2006

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Mandriva Linux running sudo.

======================================================================

  _______________________________________________________________________

  Mandriva Linux Security Advisory                         MDKSA-2006:159
  http://www.mandriva.com/security/
  _______________________________________________________________________

  Package : sudo
  Date    : August 31, 2006
  Affected: 2006.0, Corporate 3.0, Multi Network Firewall 2.0
  _______________________________________________________________________

  Problem Description:

  Previous sudo updates were made available to sanitize certain
  environment variables from affecting a sudo call, such as
  PYTHONINSPECT, PERL5OPT, etc.  While those updates were effective in
  addressing those specific environment variables, other variables that
  were not blacklisted were being made available.

  Debian addressed this issue by forcing sudo to use a whitlist approach
  in DSA-946-2 by arbitrarily making env_reset the default (as opposed
  to having to be enabled in /etc/sudoers).  Mandriva has opted to follow
  the same approach so now only certain variables are, by default, made
  available, such as HOME, LOGNAME, SHELL, TERM, DISPLAY, XAUTHORITY,
  XAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER, as well as the SUDO_*
  variables.

  If other variables are required to be kept, this can be done by editing
  /etc/sudoers and using the env_keep option, such as:

      Defaults env_keep="FOO BAR"

  As well, the Corporate 3 packages are now compiled with the SECURE_PATH
  setting.

  Updated packages are patched to address this issue.
  _______________________________________________________________________

  References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-4158
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0151
  http://www.debian.org/security/2006/dsa-946
  _______________________________________________________________________

  Updated Packages:

  Mandriva Linux 2006.0:
  859526089cecbc00c11b0c76509f97b1  2006.0/RPMS/sudo-1.6.8p8-2.3.20060mdk.i586.rpm
  7dce7457a74d625018aee6690bcc35d7  2006.0/SRPMS/sudo-1.6.8p8-2.3.20060mdk.src.rpm

  Mandriva Linux 2006.0/X86_64:
  8ab6e95323473f6f1f72c255aa4453ae 
x86_64/2006.0/RPMS/sudo-1.6.8p8-2.3.20060mdk.x86_64.rpm
  7dce7457a74d625018aee6690bcc35d7 
x86_64/2006.0/SRPMS/sudo-1.6.8p8-2.3.20060mdk.src.rpm

  Corporate 3.0:
  df8964b76a758340a3a283147dce03d5 
corporate/3.0/RPMS/sudo-1.6.7-0.p5.2.5.C30mdk.i586.rpm
  3d4fe9dd6e7f729266af98a318be1b48 
corporate/3.0/SRPMS/sudo-1.6.7-0.p5.2.5.C30mdk.src.rpm

  Corporate 3.0/X86_64:
  f8b93aad21eb48289a537e586d3c58ae 
x86_64/corporate/3.0/RPMS/sudo-1.6.7-0.p5.2.5.C30mdk.x86_64.rpm
  3d4fe9dd6e7f729266af98a318be1b48 
x86_64/corporate/3.0/SRPMS/sudo-1.6.7-0.p5.2.5.C30mdk.src.rpm

  Multi Network Firewall 2.0:
  57e770ca1e0d0bf487be6b1c4691926c  mnf/2.0/RPMS/sudo-1.6.7-0.p5.2.5.M20mdk.i586.rpm
  d5a3d6889677117b6d19f953794c4ef4  mnf/2.0/SRPMS/sudo-1.6.7-0.p5.2.5.M20mdk.src.rpm
  _______________________________________________________________________

  To upgrade automatically use MandrivaUpdate or urpmi.  The verification
  of md5 checksums and GPG signatures is performed automatically for you.

  All packages are signed by Mandriva for security.  You can obtain the
  GPG public key of the Mandriva Security Team by executing:

   gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

  You can view other update advisories for Mandriva Linux at:

   http://www.mandriva.com/security/advisories

  If you want to report vulnerabilities, please contact

   security_(at)_mandriva.com
  _______________________________________________________________________

  Type Bits/KeyID     Date       User ID
  pub  1024D/22458A98 2000-07-10 Mandriva Security Team
   <security*mandriva.com>

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================