AOSA-2017-0039: Update Sudo
May 31, 2017
Please update your
sudo package to version
A recently released version of Sudo has addressed a security vulnerability titled "Potential overwrite of arbitrary files on Linux":
"On Linux systems, sudo parses the /proc/[pid]/stat file to determine the device number of the process's tty (field 7). The fields in the file are space-delimited, but it is possible for the command name (field 2) to include spaces, which sudo does not account for. A user with sudo privileges can cause sudo to use a device number of the user's choosing by creating a symbolic link from the sudo binary to a name that contains a space, followed by a number."
This vulnerability has been assigned CVE-2017-100036.