ALAS-2013-259


Amazon Linux 1 Security Advisory: ALAS-2013-259
Advisory Release Date: 2013-12-11 20:34 Pacific
Advisory Updated Date: 2014-09-16 22:10 Pacific
Severity: Low

Issue Overview:

A flaw was found in the way sudo handled time stamp files. An attacker able to run code as a local user and with the ability to control the system clock could possibly gain additional privileges by running commands that the victim user was allowed to run via sudo, without knowing the victim's password. (CVE-2013-1775)

It was found that sudo did not properly validate the controlling terminal device when the tty_tickets option was enabled in the /etc/sudoers file. An attacker able to run code as a local user could possibly gain additional privileges by running commands that the victim user was allowed to run via sudo, without knowing the victim's password. (CVE-2013-2776, CVE-2013-2777)


Affected Packages:

sudo


Issue Correction:
Run yum update sudo to update your system.

New Packages:
i686:
    sudo-devel-1.8.6p3-12.17.amzn1.i686
    sudo-debuginfo-1.8.6p3-12.17.amzn1.i686
    sudo-1.8.6p3-12.17.amzn1.i686

src:
    sudo-1.8.6p3-12.17.amzn1.src

x86_64:
    sudo-devel-1.8.6p3-12.17.amzn1.x86_64
    sudo-1.8.6p3-12.17.amzn1.x86_64
    sudo-debuginfo-1.8.6p3-12.17.amzn1.x86_64