CVE-2013-2777

Publication date 8 April 2013

Last updated 24 July 2024

sudo before 1.7.10p5 and 1.8.x before 1.8.6p6, when the tty_tickets option is enabled, does not properly validate the controlling terminal device, which allows local users with sudo permissions to hijack the authorization of another terminal via vectors related to a session without a controlling terminal device and connecting to the standard input, output, and error file descriptors of another terminal. NOTE: this is one of three closely-related vulnerabilities that were originally assigned CVE-2013-1776, but they have been SPLIT because of different affected versions.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
sudo	12.10 quantal	Ignored
	12.04 LTS precise	Ignored
	11.10 oneiric	Ignored
	10.04 LTS lucid	Ignored
	8.04 LTS hardy	Ignored

How can I get the fixes?
What do statuses mean?

Notes

jdstrand

see CVE-2013-1776 for complete information. This CVE was split from CVE-2013-1776 for accounting purposes

References

MITRE
NVD
Launchpad
Debian

Other references

http://xforce.iss.net/xforce/xfdb/82453
http://www.sudo.ws/sudo/alerts/tty_tickets.html
http://www.sudo.ws/repos/sudo/rev/bfa23f089bba
http://www.sudo.ws/repos/sudo/rev/2f3225a2a4a4
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.517440
http://www.openwall.com/lists/oss-security/2013/02/27/31
http://www.debian.org/security/2012/dsa-2642
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701839
https://www.cve.org/CVERecord?id=CVE-2013-2777