Hi Adam,

On Tue, Aug 08, 2017 at 11:25:53AM -0400, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> On Tue, 2017-08-01 at 15:55 +0200, Salvatore Bonaccorso wrote:
> > sudo in jessie ist still affected by CVE-2017-1000368. The issue IMHo
> > does not need a DSA, since with the previous fixes due to the /dev
> > traversal changes the issue was not anymore exploitable. Still it
> > would make sense IMHO to address it. Attached is the proposed debdiff.
> Please go ahead.

I will not for now fortunately spotted in time, there is a problem in
my patch. I lost 

snprintf(path, sizeof(path), "/proc/%u/stat", (unsigned int)getpid());

while backporting.

Iwill need either fix that in the patch, or cherry-pick
https://www.sudo.ws/repos/sudo/rev/6f3d9816541b?revcount=120 as well.

Will come back with a revisited patch.


Reply via email to