|CVE ID||CVE-2017-1000368 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)|
|Date Created||2017-10-08 10:48:02|
|Date Last Modified||2017-10-08 14:58:27|
|Cucumber 1.0 i686||fixed in sudo-1.8.21p2-i686-1|
|Cucumber 1.0 x86_64||fixed in sudo-1.8.21p2-x86_64-1|
|Cucumber 1.1 i686||fixed in sudo-1.8.21p2-i686-1|
|Cucumber 1.1 x86_64||fixed in sudo-1.8.21p2-x86_64-1|
Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines) in the get_process_ttyname() function resulting in information disclosure and command execution (https://nvd.nist.gov/vuln/detail/CVE-2017-1000368). This vulnerability was initially assigned CVE-2017-1000367 in the Common Vulnerabilities and Exposures database. It was later discovered that the fix present in sudo 1.8.20p1 was incomplete as it did not address the problem of a command with a newline in the name. CVE-2017-1000368 was assigned for this additional issue (https://www.sudo.ws/alerts/linux_tty.html).