CVE-2013-2776 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2013-2776 Interim 1 22 2023-07-02T01:20:42Z current 2021-05-30T13:12:35Z 2023-07-02T01:20:42Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2013-2776 sudo 1.3.5 through 1.7.10p5 and 1.8.0 through 1.8.6p6, when running on systems without /proc or the sysctl function with the tty_tickets option enabled, does not properly validate the controlling terminal device, which allows local users with sudo permissions to hijack the authorization of another terminal via vectors related to connecting to the standard input, output, and error file descriptors of another terminal. NOTE: this is one of three closely-related vulnerabilities that were originally assigned CVE-2013-1776, but they have been SPLIT because of different affected versions. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2013-May/000452.html E-Mail link for SUSE-SU-2013:0793-1 https://lists.suse.com/pipermail/sle-security-updates/2013-October/000613.html E-Mail link for SUSE-SU-2013:1594-1 https://lists.suse.com/pipermail/sle-security-updates/2013-October/000614.html E-Mail link for SUSE-SU-2013:1595-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Point of Service 11 SP3 SUSE Linux Enterprise Server 11 SP1-LTSS SUSE Linux Enterprise Server 11 SP1-TERADATA SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3 for Teradata SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Server 11 SP4 LTSS SUSE Linux Enterprise Server for SAP Applications 11 SP2 sudo sudo-1.7.6p2-0.17.5 sudo-1.7.6p2-0.2.12.1 sudo-1.7.6p2-0.2.12.5 sudo-1.7.6p2-0.23.1 sudo-1.7.6p2-0.2.12.1 as a component of SUSE Linux Enterprise Desktop 11 SP2 sudo-1.7.6p2-0.2.12.5 as a component of SUSE Linux Enterprise Server 11 SP1-LTSS sudo-1.7.6p2-0.2.12.5 as a component of SUSE Linux Enterprise Server 11 SP1-TERADATA sudo-1.7.6p2-0.2.12.1 as a component of SUSE Linux Enterprise Server 11 SP2 sudo-1.7.6p2-0.17.5 as a component of SUSE Linux Enterprise Server 11 SP3 sudo-1.7.6p2-0.23.1 as a component of SUSE Linux Enterprise Server 11 SP4 sudo-1.7.6p2-0.2.12.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP2 sudo as a component of SUSE Linux Enterprise Point of Service 11 SP3 sudo as a component of SUSE Linux Enterprise Server 11 SP3 for Teradata sudo as a component of SUSE Linux Enterprise Server 11 SP4 LTSS sudo 1.3.5 through 1.7.10p5 and 1.8.0 through 1.8.6p6, when running on systems without /proc or the sysctl function with the tty_tickets option enabled, does not properly validate the controlling terminal device, which allows local users with sudo permissions to hijack the authorization of another terminal via vectors related to connecting to the standard input, output, and error file descriptors of another terminal. NOTE: this is one of three closely-related vulnerabilities that were originally assigned CVE-2013-1776, but they have been SPLIT because of different affected versions. CVE-2013-2776 SUSE Linux Enterprise Desktop 11 SP2:sudo-1.7.6p2-0.2.12.1 SUSE Linux Enterprise Server 11 SP1-LTSS:sudo-1.7.6p2-0.2.12.5 SUSE Linux Enterprise Server 11 SP1-TERADATA:sudo-1.7.6p2-0.2.12.5 SUSE Linux Enterprise Server 11 SP2:sudo-1.7.6p2-0.2.12.1 SUSE Linux Enterprise Server 11 SP3:sudo-1.7.6p2-0.17.5 SUSE Linux Enterprise Server 11 SP4:sudo-1.7.6p2-0.23.1 SUSE Linux Enterprise Server for SAP Applications 11 SP2:sudo-1.7.6p2-0.2.12.1 SUSE Linux Enterprise Point of Service 11 SP3:sudo SUSE Linux Enterprise Server 11 SP3 for Teradata:sudo SUSE Linux Enterprise Server 11 SP4 LTSS:sudo moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P