sudo: add upstream security patch for CVE-2017-1000367

CVE-2017-1000367 - Potential overwrite of arbitrary files on Linux

On Linux systems, sudo parses the /proc/[pid]/stat file to determine the
device number of the process's tty (field 7).  The fields in the file are
space-delimited, but it is possible for the command name (field 2) to
include spaces, which sudo does not account for.  A user with sudo
privileges can cause sudo to use a device number of the user's choosing by
creating a symbolic link from the sudo binary to a name that contains a
space, followed by a number.

If SELinux is enabled on the system and sudo was built with SELinux support,
a user with sudo privileges may be able to to overwrite an arbitrary file.
This can be escalated to full root access by rewriting a trusted file such
as /etc/shadow or even /etc/sudoers.

For more details, see: https://www.sudo.ws/alerts/linux_tty.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

0 files changed, 0 insertions, 0 deletions