

Sudo: CVE-2014-9680: preserves TZ by default - geoffbp
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772707

======
regularfry
I'm not sure I understand the severity here. Is $TZ read before granting sudo
permissions, or after? And if after, if someone has sudo rights anyway, surely
there are more interesting DoS possibilities?

Or is the risk that someone with restricted sudo rights (say, to an individual
command) might be able to do things they weren't supposed to?

~~~
tedunangst
The (possibly restricted) command that sudo runs reads TZ. Then it crashes.

