CLD-67 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-1000368 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) sudo
Deficiency Type SECURITY
Date Created 2017-10-08 10:48:02
Date Last Modified 2017-10-08 14:58:27

Version Specific Information:

Cucumber 1.0 i686fixed in sudo-1.8.21p2-i686-1
Cucumber 1.0 x86_64fixed in sudo-1.8.21p2-x86_64-1

Cucumber 1.1 i686 fixed in sudo-1.8.21p2-i686-1
Cucumber 1.1 x86_64 fixed in sudo-1.8.21p2-x86_64-1

Details:

Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input
validation (embedded newlines) in the get_process_ttyname() function resulting
in information disclosure and command execution
(https://nvd.nist.gov/vuln/detail/CVE-2017-1000368).

This vulnerability was initially assigned CVE-2017-1000367 in the Common
Vulnerabilities and Exposures database. It was later discovered that the fix
present in sudo 1.8.20p1 was incomplete as it did not address the problem of a
command with a newline in the name. CVE-2017-1000368 was assigned for this
additional issue (https://www.sudo.ws/alerts/linux_tty.html).