Control: severity -1 grave Hi Bdale!
On Thu, Jun 01, 2017 at 08:42:30PM +0200, Salvatore Bonaccorso wrote: > Source: sudo > Version: 1.8.10p3-1 > Severity: important > Tags: patch upstream > > Hi > > sudo 1.8.20p2 fixes an issue in parsing /proc/[pid]/stat when the > process name contains a newline. > > The bug is not exploitable due to the changes in how /dev is traversed > made in sudo 1.8.20p1 for CVE-2017-1000367. > > Still it is probably good to have it fixed in a point release as well > for stable releases (or if accepted by the release team as well > targetted for stretch). > > Announce: > https://www.sudo.ws/pipermail/sudo-announce/2017-May/000155.html This was as the writing of this bugreport, but ths was proven wrong and there is another attack vector, explained in http://www.openwall.com/lists/oss-security/2017/06/02/7 I thus tend to make the severity RC and think this additional fix should go as well to stretch. https://www.sudo.ws/repos/sudo/raw-rev/b5460cbbb11b Regards, Salvatore