From ${URL} : From the upstream advisory: When a user successfully authenticates with sudo, a time stamp file is updated to allow that user to continue running sudo without requiring a password for a preset time period (five minutes by default). The user's time stamp file can be reset using "sudo -k" or removed altogether via "sudo -K". A user who has sudo access and is able to control the local clock (common in desktop environments) can run a command via sudo without authenticating as long as they have previously authenticated themselves at least once by running "sudo -k" and then setting the clock to the epoch (1970-01-01 01:00:00). The vulnerability does not permit a user to run commands other than those allowed by the sudoers policy. This affects versions 1.6.0 through up to the fixed 1.7.10p7 version, and sudo 1.8.0 through to the fixed 1.8.7p7. The fix for 1.7.x: http://www.sudo.ws/repos/sudo/rev/ddf399e3e306 The fix for 1.8.x: http://www.sudo.ws/repos/sudo/rev/ebd6cc75020f External References: http://www.sudo.ws/sudo/alerts/epoch_ticket.html
and from https://bugzilla.redhat.com/show_bug.cgi?id=916365 : When a user successfully authenticates with sudo, a time stamp file is updated to allow that user to continue running sudo without requiring a password for a preset time period (five minutes by default). This time stamp file can either be common to all of a user's terminals, or it can be specific to the particular terminal the user authenticated themselves on. The terminal-specific time stamp file behavior can be controlled using the "tty_tickets" option in the sudoers file. This option has been enabled by default since sudo 1.7.4. Prior to sudo 1.7.4, the default was to use a single time stamp for all the user's sessions. A vulnerability exists because the user can control which terminal the standard input, output and error file descriptors (0-2) refer to. A malicious user could use this to run commands via sudo without authenticating, so long as there exists a terminal the user has access to where a sudo command was successfully run by that same user within the password timeout period (usually five minutes). The vulnerability does not permit a user to run commands other than those allowed by the sudoers policy. This affects versions 1.3.5 through up to the fixed 1.7.10p6 version, and sudo 1.8.0 through to the fixed 1.8.7p7. The fix for 1.7.x: http://www.sudo.ws/repos/sudo/rev/0c0283d1fafa The fix for 1.8.x: http://www.sudo.ws/repos/sudo/rev/049a12a5cc14 External References: http://www.sudo.ws/sudo/alerts/tty_tickets.html
CVE-2013-1775 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1775): sudo 1.6.0 through 1.7.10p6 and sudo 1.8.0 through 1.8.6p6 allows local users or physically-proximate attackers to bypass intended time restrictions and retain privileges without re-authenticating by setting the system clock and sudo user timestamp to the epoch.
sudo-1.8.6_p7 is in the tree
CVE-2013-2777 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2777): sudo before 1.7.10p5 and 1.8.x before 1.8.6p6, when the tty_tickets option is enabled, does not properly validate the controlling terminal device, which allows local users with sudo permissions to hijack the authorization of another terminal via vectors related to a session without a controlling terminal device and connecting to a standard input, output, and error file descriptors of another terminal. NOTE: this is one of three closely-related vulnerabilities that were originally assigned CVE-2013-1776, but they have been SPLIT because of different affected versions. CVE-2013-2776 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2776): sudo 1.3.5 through 1.7.10p5 and 1.8.0 through 1.8.6p6, when running on systems without /proc or the sysctl function with the tty_tickets option enabled, does not properly validate the controlling terminal device, which allows local users with sudo permissions to hijack the authorization of another terminal via vectors related to connecting to a standard input, output, and error file descriptors of another terminal. NOTE: this is one of three closely-related vulnerabilities that were originally assigned CVE-2013-1776, but they have been SPLIT because of different affected versions. CVE-2013-1776 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1776): sudo 1.3.5 through 1.7.10 and 1.8.0 through 1.8.5, when the tty_tickets option is enabled, does not properly validate the controlling terminal device, which allows local users with sudo permissions to hijack the authorization of another terminal via vectors related to connecting to a standard input, output, and error file descriptors of another terminal. NOTE: this is one of three closely-related vulnerabilities that were originally assigned CVE-2013-1776, but they have been SPLIT because of different affected versions.
(In reply to comment #3) > sudo-1.8.6_p7 is in the tree Arches, please test and mark stable. Target KEYWORDS: "alpha amd64 arm hppa ia64 ~m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~sparc-solaris"
amd64 stable
arm stable
Stable for HPPA.
ppc stable
ppc64 stable
alpha stable
x86 stable
ia64 stable
sparc stable
s390 stable
sh stable
Thanks for your work GLSA vote: yes
GLSA vote: YES. GLSA request filed.
This issue was resolved and addressed in GLSA 201401-23 at http://security.gentoo.org/glsa/glsa-201401-23.xml by GLSA coordinator Chris Reffett (creffett).