Описание
Security update for sudo
This update for sudo fixes the following issues:
CVE-2017-1000367:
- Due to incorrect assumptions in /proc/[pid]/stat parsing, a local attacker can pretend that his tty is any file on the filesystem, thus gaining arbitrary file write access on SELinux-enabled systems. [bsc#1039361]
- Fix FQDN for hostname. [bsc#1024145]
- Filter netgroups, they aren't handled by SSSD. [bsc#1015351]
- Fix problems related to 'krb5_ccname' option [bsc#981124]
Список пакетов
SUSE Linux Enterprise Desktop 12 SP2
sudo-1.8.10p3-10.5.1
SUSE Linux Enterprise Server 12 SP2
sudo-1.8.10p3-10.5.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
sudo-1.8.10p3-10.5.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2
sudo-1.8.10p3-10.5.1
SUSE Linux Enterprise Software Development Kit 12 SP2
sudo-devel-1.8.10p3-10.5.1
Ссылки
- Link for SUSE-SU-2017:1450-1
- E-Mail link for SUSE-SU-2017:1450-1
- SUSE Security Ratings
- SUSE Bug 1015351
- SUSE Bug 1024145
- SUSE Bug 1039361
- SUSE Bug 981124
- SUSE CVE CVE-2017-1000367 page
Описание
Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an input validation (embedded spaces) in the get_process_ttyname() function resulting in information disclosure and command execution.
Затронутые продукты
SUSE Linux Enterprise Desktop 12 SP2:sudo-1.8.10p3-10.5.1
SUSE Linux Enterprise Server 12 SP2:sudo-1.8.10p3-10.5.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:sudo-1.8.10p3-10.5.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:sudo-1.8.10p3-10.5.1
Ссылки
- CVE-2017-1000367
- SUSE Bug 1007501
- SUSE Bug 1039361
- SUSE Bug 1042146
- SUSE Bug 1077345