CVE ID | CVE-2017-1000368 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu) |
Other ID(s) |
Affected Package(s) | sudo |
Deficiency Type | SECURITY |
Date Created | 2017-10-08 10:48:02 |
Date Last Modified | 2017-10-08 14:58:27 |
Cucumber 1.0 i686 | fixed in sudo-1.8.21p2-i686-1 |
Cucumber 1.0 x86_64 | fixed in sudo-1.8.21p2-x86_64-1 |
Cucumber 1.1 i686 | fixed in sudo-1.8.21p2-i686-1 |
Cucumber 1.1 x86_64 | fixed in sudo-1.8.21p2-x86_64-1 |
Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines) in the get_process_ttyname() function resulting in information disclosure and command execution (https://nvd.nist.gov/vuln/detail/CVE-2017-1000368). This vulnerability was initially assigned CVE-2017-1000367 in the Common Vulnerabilities and Exposures database. It was later discovered that the fix present in sudo 1.8.20p1 was incomplete as it did not address the problem of a command with a newline in the name. CVE-2017-1000368 was assigned for this additional issue (https://www.sudo.ws/alerts/linux_tty.html).