<= Back

AOSA-2017-0039: Update Sudo

May 31, 2017

Please update your sudo package to version 1.8.20p1.

A recently released version of Sudo has addressed a security vulnerability titled "Potential overwrite of arbitrary files on Linux":

"On Linux systems, sudo parses the /proc/[pid]/stat file to determine the device number of the process's tty (field 7). The fields in the file are space-delimited, but it is possible for the command name (field 2) to include spaces, which sudo does not account for. A user with sudo privileges can cause sudo to use a device number of the user's choosing by creating a symbolic link from the sudo binary to a name that contains a space, followed by a number."

This vulnerability has been assigned CVE-2017-100036.

Relevant documentation:

Copyleft 2011–2024, Members of the Community   |   Site Language