From 63ace7c21200794709176bfefb05f0c37fee5a37 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: May 30 2017 15:56:16 +0000
Subject: import sudo-1.8.6p7-22.el7_3


---

diff --git a/SOURCES/sudo-1.8.6p7-tty-name-parsing.patch b/SOURCES/sudo-1.8.6p7-tty-name-parsing.patch
new file mode 100644
index 0000000..fb852a4
--- /dev/null
+++ b/SOURCES/sudo-1.8.6p7-tty-name-parsing.patch
@@ -0,0 +1,29 @@
+diff -up sudo-1.8.6p7/src/ttyname.c.get_process_ttyname sudo-1.8.6p7/src/ttyname.c
+--- sudo-1.8.6p7/src/ttyname.c.get_process_ttyname	2013-02-25 20:46:09.000000000 +0100
++++ sudo-1.8.6p7/src/ttyname.c	2017-05-25 10:23:28.720850944 +0200
+@@ -171,6 +171,8 @@ static char *search_devs[] = {
+ 
+ static char *ignore_devs[] = {
+     "/dev/fd/",
++    "/dev/mqueue/",
++    "/dev/shm/",
+     "/dev/stdin",
+     "/dev/stdout",
+     "/dev/stderr",
+@@ -437,9 +439,13 @@ get_process_ttyname(void)
+ 	len = getline(&line, &linesize, fp);
+ 	fclose(fp);
+ 	if (len != -1) {
+-	    /* Field 7 is the tty dev (0 if no tty) */
+-	    char *cp = line;
+-	    int field = 1;
++	    /*
++	     * Field 7 is the tty dev (0 if no tty).
++	     * Since the process name at field 2 "(comm)" may include spaces,
++	     * start at the last ')' found.
++	     */
++	    char *cp = strrchr(line, ')');
++	    int field = 2;
+ 	    while (*cp != '\0') {
+ 		if (*cp++ == ' ') {
+ 		    if (++field == 7) {
diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec
index b78c293..eb01223 100644
--- a/SPECS/sudo.spec
+++ b/SPECS/sudo.spec
@@ -1,7 +1,7 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
 Version: 1.8.6p7
-Release: 21%{?dist}
+Release: 22%{?dist}
 License: ISC
 Group: Applications/System
 URL: http://www.courtesan.com/sudo/
@@ -146,6 +146,9 @@ Patch56: sudo-1.8.6p7-digest_race_doc.patch
 Patch57: sudo-1.8.6p3-visudo-quiet-flag.patch
 # 1391939 - CVE-2016-7032 CVE-2016-7076 sudo: various flaws [rhel-7.4]
 Patch58: sudo-1.8.6p7-noexec-update.patch
+# 1455401 - CVE-2017-1000367 sudo: Privilege escalation in via improper get_process_ttyname() parsing [rhel-7.3.z]
+Patch59: sudo-1.8.6p7-tty-name-parsing.patch
+
 
 %description
 Sudo (superuser do) allows a system administrator to give certain
@@ -228,6 +231,7 @@ plugins that use %{name}.
 %patch56 -p1 -b .digest_race_doc
 %patch57 -p1 -b .visudo-quiet-flag
 %patch58 -p1 -b .noexec-update
+%patch59 -p1 -b .tty-parsing
 
 %build
 autoreconf -I m4 -fv --install
@@ -349,6 +353,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/sudo_plugin.8*
 
 %changelog
+* Mon May 29 2017 Radovan Sroka <rsroka@redhat.com> - 1.8.6p7-22
+- Fixes CVE-2017-1000367 sudo: Privilege escalation in via improper get_process_ttyname() parsing [rhel-7.3.z]
+  Resolves: rhbz#1455401
+
 * Wed Nov 23 2016 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-21
 - Update noexec syscall blacklist
 - Fixes CVE-2016-7032 and CVE-2016-7076