Hi Adam, On Tue, Aug 08, 2017 at 11:25:53AM -0400, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Tue, 2017-08-01 at 15:55 +0200, Salvatore Bonaccorso wrote: > > sudo in jessie ist still affected by CVE-2017-1000368. The issue IMHo > > does not need a DSA, since with the previous fixes due to the /dev > > traversal changes the issue was not anymore exploitable. Still it > > would make sense IMHO to address it. Attached is the proposed debdiff. > > Please go ahead.
I will not for now fortunately spotted in time, there is a problem in my patch. I lost snprintf(path, sizeof(path), "/proc/%u/stat", (unsigned int)getpid()); while backporting. Iwill need either fix that in the patch, or cherry-pick https://www.sudo.ws/repos/sudo/rev/6f3d9816541b?revcount=120 as well. Will come back with a revisited patch. Regards, Salvatore
