AOSA-2017-0039: UPDATE SUDO

MAY 31, 2017

Most good programmers do programming not because they expect to get paid or get adulation by the public, but because it is fun to program. – Linus Torvalds

Please update your sudo package to version 1.8.20p1.

A recently released version of Sudo has addressed a security vulnerability titled “Potential overwrite of arbitrary files on Linux”:

“On Linux systems, sudo parses the /proc/[pid]/stat file to determine the device number of the process’s tty (field 7). The fields in the file are space-delimited, but it is possible for the command name (field 2) to include spaces, which sudo does not account for. A user with sudo privileges can cause sudo to use a device number of the user’s choosing by creating a symbolic link from the sudo binary to a name that contains a space, followed by a number.”

This vulnerability has been assigned CVE-2017-100036.

Relevant documentation:

1496232361906