CVE-2013-1776

Publication date 8 April 2013

Last updated 24 July 2024


Ubuntu priority

sudo 1.3.5 through 1.7.10 and 1.8.0 through 1.8.5, when the tty_tickets option is enabled, does not properly validate the controlling terminal device, which allows local users with sudo permissions to hijack the authorization of another terminal via vectors related to connecting to the standard input, output, and error file descriptors of another terminal. NOTE: this is one of three closely-related vulnerabilities that were originally assigned CVE-2013-1776, but they have been SPLIT because of different affected versions.

Read the notes from the security team

Status

Package Ubuntu Release Status
sudo 12.10 quantal Ignored
12.04 LTS precise Ignored
11.10 oneiric Ignored
10.04 LTS lucid Ignored
8.04 LTS hardy Ignored

Notes


jdstrand

this all revolves around sudo's longstanding use of ttyname() when using the tty_tickets option. tty_tickets maintains separate timestamps for each tty and is intended to help prevent ticket reuse. Ubuntu 11.10 started using tty_tickets by default. The implementation initially relies on the use of ttyname(), which was not sufficient to stop ticket reuse under some circumstances. sudo stopped using ttyname() in 1.8.5 and 1.7.10 but had fallback behavior that continued to use ttyname() up until 1.8.6p6 and 1.7.10p5, where the fallback behavior was removed. sudo 1.8.6p7 and 1.7.10p6 added the session id (sid) to the timestamp file for systems without /proc or sysctl The commits to stop using ttyname() and use /proc instead may be incomplete-- 632f8e028191 for 1.7 and 6b22be4d09f0 for 1.8 are only the initial commits (ie, refinements and bug fix commits are not listed as of 2013/02/27) backporting the patches for this longstanding issue to Ubuntu 12.04 LTS and earlier is likely regression-prone and the fix to remove the fallback and add the session id for 12.10 and 13.04 is not worth a security update. Marking 12.10 and earlier as ignored and leaving 13.04 as needed since we can pick up the fix when 1.8.6p7+ is pushed to Ubuntu. CVE-2013-2776 and CVE-2013-2777 are the same issue but split out into new CVEs for accounting purposes