Ubuntu Security Notice 956-1 - Evan Broder and Anders Kaseorg discovered that sudo did not properly sanitize its environment when configured to use secure_path (the default in Ubuntu). A local attacker could exploit this to execute arbitrary code as root if sudo was configured to allow the attacker to use a program that interpreted the PATH environment variable.
3037de18c813969c11a9138193a5c6d4ce5ee796f319b9f4908916e348a376d4