A vulnerability has been discovered in Sudo’s get_process_ttyname() in linux command. this function opens “/proc/[pid]/stat” (man proc) and reads the device number of the tty from field 7 (tty_nr). Unfortunately, these fields are space-separated and field 2 (comm, the filename of the command) can contain spaces (CVE-2017-1000367).
Advertisement
How to Fix?
This vulnerability affected most of the Linux operating systems. You are recommended to update sudo package immediately on your Linux system to fix this vulnerability.
Debian Based Systems: $ sudo apt update $ sudo apt install sudo Redhat Based Systems: $ sudo yum install sudo Fedora 22+ Systems: $ sudo dnf install sudo
References: For more details about CVE-2017-1000367 vulnerability visit followings.
https://www.sudo.ws/alerts/linux_tty.html
http://www.openwall.com/lists/oss-security/2017/05/30/16
https://access.redhat.com/security/vulnerabilities/3059071