Hi Mark - I've taken a look at the details in this bug, the upstream sudo bug, the /r/linux thread, and the upstream sudo fix. I appreciate and respect your thoroughness.
After taking all of the details into account, I consider this issue to be low severity due to the mitigating factors involved. Specifically, I don't see a way for an attacker, without physical access, to use an arbitrary code execution vulnerability in combination with the issue that you've described in this bug to elevate his/her privileges. Considering this, the attack requires an admin user leave his/her desktop session unlocked and for an attacker to come across this unlocked desktop session. Since there are many different ways to attack an unlocked desktop session, best security practices dictate all users lock their screens when not at their computer. We will fix this issue in the next Ubuntu release (15.10) by including sudo 1.8.10 or newer. Due to the issue’s low severity and considering our practice of prioritizing resources on publishing security updates that fix issues of greater security impact, we may fix this issue in stable releases of Ubuntu in the future if another sudo vulnerability of higher severity is found or if new details emerge regarding this issue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
