Описание
Security update for sudo
This update for sudo fixes the following issues:
- CVE-2017-1000368: A follow-up fix to CVE-2017-1000367, the Linux process name could also contain a newline, which could be used to trick sudo to read/write to an arbitrary open terminal. (bsc#1042146)
Also the following non security bug was fixed:
- Link the 'system_group' plugin with sudo_util library to resolve the missing sudo_dso_findsym symbol (bsc#1034560)
Список пакетов
SUSE Linux Enterprise Server 12 SP1-LTSS
sudo-1.8.10p3-2.16.1
SUSE Linux Enterprise Server 12-LTSS
sudo-1.8.10p3-2.16.1
SUSE Linux Enterprise Server for SAP Applications 12
sudo-1.8.10p3-2.16.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1
sudo-1.8.10p3-2.16.1
SUSE OpenStack Cloud 6
sudo-1.8.10p3-2.16.1
Ссылки
- Link for SUSE-SU-2017:1627-1
- E-Mail link for SUSE-SU-2017:1627-1
- SUSE Security Ratings
- SUSE Bug 1034560
- SUSE Bug 1042146
- SUSE CVE CVE-2017-1000368 page
Описание
Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines) in the get_process_ttyname() function resulting in information disclosure and command execution.
Затронутые продукты
SUSE Linux Enterprise Server 12 SP1-LTSS:sudo-1.8.10p3-2.16.1
SUSE Linux Enterprise Server 12-LTSS:sudo-1.8.10p3-2.16.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1:sudo-1.8.10p3-2.16.1
SUSE Linux Enterprise Server for SAP Applications 12:sudo-1.8.10p3-2.16.1
Ссылки
- CVE-2017-1000368
- SUSE Bug 1039361
- SUSE Bug 1042146
- SUSE Bug 1045986