Описание
Security update for sudo
This update for sudo fixes the following security issue:
- CVE-2017-1000368: A follow-up fix to CVE-2017-1000367, the Linux process name could also contain a newline, which could be used to trick sudo to read/write to an arbitrary open terminal. (bsc#1042146)
Also the following non security bug was fixed:
- Link the 'system_group' plugin with sudo_util library to resolve the missing sudo_dso_findsym symbol (bsc#1034560)
Список пакетов
SUSE Linux Enterprise Desktop 12 SP2
sudo-1.8.10p3-10.10.2
SUSE Linux Enterprise Server 12 SP2
sudo-1.8.10p3-10.10.2
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
sudo-1.8.10p3-10.10.2
SUSE Linux Enterprise Server for SAP Applications 12 SP2
sudo-1.8.10p3-10.10.2
SUSE Linux Enterprise Software Development Kit 12 SP2
sudo-devel-1.8.10p3-10.10.2
Ссылки
- Link for SUSE-SU-2017:1626-1
- E-Mail link for SUSE-SU-2017:1626-1
- SUSE Security Ratings
- SUSE Bug 1034560
- SUSE Bug 1042146
- SUSE CVE CVE-2017-1000368 page
Описание
Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines) in the get_process_ttyname() function resulting in information disclosure and command execution.
Затронутые продукты
SUSE Linux Enterprise Desktop 12 SP2:sudo-1.8.10p3-10.10.2
SUSE Linux Enterprise Server 12 SP2:sudo-1.8.10p3-10.10.2
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:sudo-1.8.10p3-10.10.2
SUSE Linux Enterprise Server for SAP Applications 12 SP2:sudo-1.8.10p3-10.10.2
Ссылки
- CVE-2017-1000368
- SUSE Bug 1039361
- SUSE Bug 1042146
- SUSE Bug 1045986