CVE-2017-1000368

Published: 5 June 2017

Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines) in the get_process_ttyname() function resulting in information disclosure and command execution.

Priority

CVSS 3 base score: 8.2

Status

Package	Release	Status
sudo Launchpad, Ubuntu, Debian	artful	Released (1.8.20p2-1ubuntu1)
	bionic	Released (1.8.20p2-1ubuntu1)
	cosmic	Released (1.8.20p2-1ubuntu1)
	disco	Released (1.8.20p2-1ubuntu1)
	precise	Not vulnerable (code not present)
	trusty	Released (1.8.9p5-1ubuntu1.5+esm1)
	upstream	Released (1.8.20p1-1.1)
	xenial	Released (1.8.16-0ubuntu1.6)
	yakkety	Ignored (reached end-of-life)
	zesty	Ignored (reached end-of-life)
	Patches: upstream: https://www.sudo.ws/repos/sudo/raw-rev/15a46f4007dd

References

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863897

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Security