CVE-2013-1776

2013-04-0800:00:00

ubuntu.com

4.4 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

0.0004 Low

EPSS

Percentile

9.4%

JSON

sudo 1.3.5 through 1.7.10 and 1.8.0 through 1.8.5, when the tty_tickets
option is enabled, does not properly validate the controlling terminal
device, which allows local users with sudo permissions to hijack the
authorization of another terminal via vectors related to connecting to the
standard input, output, and error file descriptors of another terminal.
NOTE: this is one of three closely-related vulnerabilities that were
originally assigned CVE-2013-1776, but they have been SPLIT because of
different affected versions.

Bugs

<https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/87023>

Notes

Author	Note
jdstrand	this all revolves around sudo’s longstanding use of ttyname() when using the tty_tickets option. tty_tickets maintains separate timestamps for each tty and is intended to help prevent ticket reuse. Ubuntu 11.10 started using tty_tickets by default. The implementation initially relies on the use of ttyname(), which was not sufficient to stop ticket reuse under some circumstances. sudo stopped using ttyname() in 1.8.5 and 1.7.10 but had fallback behavior that continued to use ttyname() up until 1.8.6p6 and 1.7.10p5, where the fallback behavior was removed. sudo 1.8.6p7 and 1.7.10p6 added the session id (sid) to the timestamp file for systems without /proc or sysctl The commits to stop using ttyname() and use /proc instead may be incomplete-- 632f8e028191 for 1.7 and 6b22be4d09f0 for 1.8 are only the initial commits (ie, refinements and bug fix commits are not listed as of 2013/02/27) backporting the patches for this longstanding issue to Ubuntu 12.04 LTS and earlier is likely regression-prone and the fix to remove the fallback and add the session id for 12.10 and 13.04 is not worth a security update. Marking 12.10 and earlier as ignored and leaving 13.04 as needed since we can pick up the fix when 1.8.6p7+ is pushed to Ubuntu. CVE-2013-2776 and CVE-2013-2777 are the same issue but split out into new CVEs for accounting purposes

Author

Note

jdstrand

this all revolves around sudo’s longstanding use of ttyname() when using the tty_tickets option. tty_tickets maintains separate timestamps for each tty and is intended to help prevent ticket reuse. Ubuntu 11.10 started using tty_tickets by default. The implementation initially relies on the use of ttyname(), which was not sufficient to stop ticket reuse under some circumstances. sudo stopped using ttyname() in 1.8.5 and 1.7.10 but had fallback behavior that continued to use ttyname() up until 1.8.6p6 and 1.7.10p5, where the fallback behavior was removed. sudo 1.8.6p7 and 1.7.10p6 added the session id (sid) to the timestamp file for systems without /proc or sysctl The commits to stop using ttyname() and use /proc instead may be incomplete-- 632f8e028191 for 1.7 and 6b22be4d09f0 for 1.8 are only the initial commits (ie, refinements and bug fix commits are not listed as of 2013/02/27) backporting the patches for this longstanding issue to Ubuntu 12.04 LTS and earlier is likely regression-prone and the fix to remove the fallback and add the session id for 12.10 and 13.04 is not worth a security update. Marking 12.10 and earlier as ignored and leaving 13.04 as needed since we can pick up the fix when 1.8.6p7+ is pushed to Ubuntu. CVE-2013-2776 and CVE-2013-2777 are the same issue but split out into new CVEs for accounting purposes