A vulnerability has been discovered in Sudo’s get_process_ttyname() in linux command. this function opens “/proc/[pid]/stat” (man proc) and reads the device number of the tty from field 7 (tty_nr). Unfortunately, these fields are space-separated and field 2 (comm, the filename of the command) can contain spaces (CVE-2017-1000367).
Advertisement
How to Fix?
This vulnerability affected most of the Linux operating systems. You are recommended to update sudo package immediately on your Linux system to fix this vulnerability.
Debian Based Systems: $ sudo apt update $ sudo apt install sudoRedhat Based Systems: $ sudo yum install sudoFedora 22+ Systems: $ sudo dnf install sudo
References: For more details about CVE-2017-1000367 vulnerability visit followings.
https://www.sudo.ws/alerts/linux_tty.html
http://www.openwall.com/lists/oss-security/2017/05/30/16
https://access.redhat.com/security/vulnerabilities/3059071