CVE-2017-1000368

Published: 5 June 2017

Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines) in the get_process_ttyname() function resulting in information disclosure and command execution.

Priority

CVSS 3 base score: 8.2

Status

Package	Release	Status
sudo Launchpad, Ubuntu, Debian	artful	Released (1.8.20p2-1ubuntu1)
	bionic	Released (1.8.20p2-1ubuntu1)
	cosmic	Released (1.8.20p2-1ubuntu1)
	disco	Released (1.8.20p2-1ubuntu1)
	precise	Not vulnerable (code not present)
	trusty	Released (1.8.9p5-1ubuntu1.5+esm1)
	upstream	Released (1.8.20p1-1.1)
	xenial	Released (1.8.16-0ubuntu1.6)
	yakkety	Ignored (reached end-of-life)
	zesty	Ignored (reached end-of-life)

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000368
http://www.openwall.com/lists/oss-security/2017/06/02/7
https://www.sudo.ws/alerts/linux_tty.html
https://ubuntu.com/security/notices/USN-3968-1
https://ubuntu.com/security/notices/USN-3968-2
NVD
Launchpad
Debian

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863897

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›