CVE-2013-1776

jdstrand

this all revolves around sudo's longstanding use of ttyname() when using the tty_tickets option. tty_tickets maintains separate timestamps for each tty and is intended to help prevent ticket reuse. Ubuntu 11.10 started using tty_tickets by default. The implementation initially relies on the use of ttyname(), which was not sufficient to stop ticket reuse under some circumstances. sudo stopped using ttyname() in 1.8.5 and 1.7.10 but had fallback behavior that continued to use ttyname() up until 1.8.6p6 and 1.7.10p5, where the fallback behavior was removed. sudo 1.8.6p7 and 1.7.10p6 added the session id (sid) to the timestamp file for systems without /proc or sysctl The commits to stop using ttyname() and use /proc instead may be incomplete-- 632f8e028191 for 1.7 and 6b22be4d09f0 for 1.8 are only the initial commits (ie, refinements and bug fix commits are not listed as of 2013/02/27) backporting the patches for this longstanding issue to Ubuntu 12.04 LTS and earlier is likely regression-prone and the fix to remove the fallback and add the session id for 12.10 and 13.04 is not worth a security update. Marking 12.10 and earlier as ignored and leaving 13.04 as needed since we can pick up the fix when 1.8.6p7+ is pushed to Ubuntu. CVE-2013-2776 and CVE-2013-2777 are the same issue but split out into new CVEs for accounting purposes