CVE-2013-1776

Published: 08 April 2013

sudo 1.3.5 through 1.7.10 and 1.8.0 through 1.8.5, when the tty_tickets option is enabled, does not properly validate the controlling terminal device, which allows local users with sudo permissions to hijack the authorization of another terminal via vectors related to connecting to the standard input, output, and error file descriptors of another terminal. NOTE: this is one of three closely-related vulnerabilities that were originally assigned CVE-2013-1776, but they have been SPLIT because of different affected versions.

Priority

Low

Notes

AuthorNote
jdstrand
this all revolves around sudo's longstanding use of ttyname() when
using the tty_tickets option. tty_tickets maintains separate timestamps for
each tty and is intended to help prevent ticket reuse. Ubuntu 11.10 started
using tty_tickets by default. The implementation initially relies on the use
of ttyname(), which was not sufficient to stop ticket reuse under some
circumstances. sudo stopped using ttyname() in 1.8.5 and 1.7.10 but had
fallback behavior that continued to use ttyname() up until 1.8.6p6 and
1.7.10p5, where the fallback behavior was removed. sudo 1.8.6p7 and 1.7.10p6
added the session id (sid) to the timestamp file for systems without /proc or
sysctl
The commits to stop using ttyname() and use /proc instead may be
incomplete-- 632f8e028191 for 1.7 and 6b22be4d09f0 for 1.8 are only the
initial commits (ie, refinements and bug fix commits are not listed as of
2013/02/27)
backporting the patches for this longstanding issue to Ubuntu 12.04
LTS and earlier is likely regression-prone and the fix to remove the fallback
and add the session id for 12.10 and 13.04 is not worth a security update.
Marking 12.10 and earlier as ignored and leaving 13.04 as needed since we
can pick up the fix when 1.8.6p7+ is pushed to Ubuntu.
CVE-2013-2776 and CVE-2013-2777 are the same issue but split out
into new CVEs for accounting purposes

References

Bugs