[manjaro-security] [arch-security] [ASA-201705-25] sudo: access restriction bypass

Levente Polyak anthraxx at archlinux.org
Tue May 30 20:11:35 CEST 2017

Arch Linux Security Advisory ASA-201705-25

Severity: Medium
Date    : 2017-05-30
CVE-ID  : CVE-2017-1000367
Package : sudo
Type    : access restriction bypass
Remote  : No
Link    : https://security.archlinux.org/AVG-282


The package sudo before version 1.8.20.p1-1 is vulnerable to access
restriction bypass.


Upgrade to 1.8.20.p1-1.

# pacman -Syu "sudo>=1.8.20.p1-1"

The problem has been fixed upstream in version 1.8.20.p1.




On Linux systems, sudo parses the /proc/[pid]/stat file to determine
the device number of the process's tty (field 7). The fields in the
file are space-delimited, but it is possible for the command name
(field 2) to include spaces, which sudo does not account for. A user
with sudo privileges can cause sudo to use a device number of the
user's choosing by creating a symbolic link from the sudo binary to a
name that contains a space, followed by a number.
This may allow a user to be able to bypass the "tty_ticket"
constraints. In order for this to succeed there must exist on the
machine a terminal device that the user has previously authenticated
themselves on via sudo within the last time stamp timeout (5 minutes by


A local attacker is able to extend the lifetime of a previously
authenticated ticket beyond the "tty_ticket" timeout constraints.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20170530/4cf02114/attachment.sig>

More information about the manjaro-security mailing list