SUSE-SU-2017:1446-1

Details

This update for sudo fixes the following issues:

CVE-2017-1000367:

Due to incorrect assumptions in /proc/[pid]/stat parsing, a local attacker can pretend that his tty is any file on the filesystem, thus gaining arbitrary file write access on SELinux-enabled systems. [bsc#1039361]
Fix FQDN for hostname. [bsc#1024145]
Filter netgroups, they aren't handled by SSSD. [bsc#1015351]
Fix problems related to 'krb5_ccname' option [bsc#981124]

Affected Packages

sudo

SUSE Linux Enterprise Desktop 12 SP1SUSE Linux Enterprise Server 12 SP1SUSE Linux Enterprise Server 12-LTSSSUSE Linux Enterprise Server for SAP Applications 12SUSE Linux Enterprise Server for SAP Applications 12 SP1

Fixed in:

1.8.10p3-2.11.1

sudo-devel

SUSE Linux Enterprise Software Development Kit 12 SP1

Fixed in:

1.8.10p3-2.11.1

References

REPORT

https://bugzilla.suse.com/1015351

REPORT

https://bugzilla.suse.com/1024145

REPORT

https://bugzilla.suse.com/1039361

REPORT

https://bugzilla.suse.com/981124

WEB

https://www.suse.com/security/cve/CVE-2017-1000367

ADVISORY

https://www.suse.com/support/update/announcement/2017/suse-su-20171446-1/