diff -up sudo-1.8.6p7/doc/sudoers.cat.digest_race_doc sudo-1.8.6p7/doc/sudoers.cat
--- sudo-1.8.6p7/doc/sudoers.cat.digest_race_doc	2016-05-11 13:53:51.125141217 +0200
+++ sudo-1.8.6p7/doc/sudoers.cat	2016-05-11 13:56:10.678178899 +0200
@@ -301,13 +301,11 @@ SSUUDDOOEERRSS FFIILLEE FFO
 
      If a command name is prefixed with a Digest_Spec, the command will only
      match successfully if it can be verified using the specified SHA-2
-     digest.  This may be useful in situations where the user invoking ssuuddoo
-     has write access to the command or its parent directory.  The following
-     digest formats are supported: sha224, sha256, sha384 and sha512.  The
-     string may be specified in either hex or base64 format (base64 is more
-     compact).  There are several utilities capable of generating SHA-2
-     digests in hex format such as openssl, shasum, sha224sum, sha256sum,
-     sha384sum, sha512sum.
+     digest.  The following digest formats are supported: sha224, sha256,
+     sha384 and sha512.  The string may be specified in either hex or base64
+     format (base64 is more compact).  There are several utilities capable of
+     generating SHA-2 digests in hex format such as openssl, shasum,
+     sha224sum, sha256sum, sha384sum, sha512sum.
 
      For example, using openssl:
 
@@ -319,6 +317,11 @@ SSUUDDOOEERRSS FFIILLEE FFO
      $ openssl dgst -binary -sha224 /bin/ls | openssl base64
      EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
 
+     If the user has write access to either the command itself or the
+     directory in which the command is located (directly or via a ssuuddoo
+     command) it may be possible for the user to replace the command after the
+     digest check has been performed but before the command is executed.
+
    DDeeffaauullttss
      Certain configuration options may be changed from their default values at
      run-time via one or more Default_Entry lines.  These may affect all users
diff -up sudo-1.8.6p7/doc/sudoers.man.in.digest_race_doc sudo-1.8.6p7/doc/sudoers.man.in
--- sudo-1.8.6p7/doc/sudoers.man.in.digest_race_doc	2016-05-11 13:54:01.005002291 +0200
+++ sudo-1.8.6p7/doc/sudoers.man.in	2016-05-11 13:58:28.541240345 +0200
@@ -679,9 +679,6 @@ is prefixed with a
 \fRDigest_Spec\fR,
 the command will only match successfully if it can be verified
 using the specified SHA-2 digest.
-This may be useful in situations where the user invoking
-\fBsudo\fR
-has write access to the command or its parent directory.
 The following digest formats are supported: sha224, sha256, sha384 and sha512.
 The string may be specified in either hex or base64 format
 (base64 is more compact).
@@ -705,6 +702,13 @@ $ openssl dgst -binary -sha224 /bin/ls |
 EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
 .RE
 .fi
+.PP
+If the user has write access to either the command itself or the
+directory in which the command is located (directly or via a
+\fBsudo\fR
+command) it may be possible for the user to replace the command
+after the digest check has been performed but before the command
+is executed.
 .SS "Defaults"
 Certain configuration options may be changed from their default
 values at run-time via one or more
diff -up sudo-1.8.6p7/doc/sudoers.mdoc.in.digest_race_doc sudo-1.8.6p7/doc/sudoers.mdoc.in
--- sudo-1.8.6p7/doc/sudoers.mdoc.in.digest_race_doc	2016-05-11 13:54:07.749907447 +0200
+++ sudo-1.8.6p7/doc/sudoers.mdoc.in	2016-05-11 13:59:22.263484933 +0200
@@ -655,9 +655,6 @@ is prefixed with a
 .Li Digest_Spec ,
 the command will only match successfully if it can be verified
 using the specified SHA-2 digest.
-This may be useful in situations where the user invoking
-.Nm sudo
-has write access to the command or its parent directory.
 The following digest formats are supported: sha224, sha256, sha384 and sha512.
 The string may be specified in either hex or base64 format
 (base64 is more compact).
@@ -675,6 +672,13 @@ It is also possible to use openssl to ge
 $ openssl dgst -binary -sha224 /bin/ls | openssl base64
 EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
 .Ed
+.Pp
+If the user has write access to either the command itself or the
+directory in which the command is located (directly or via a
+.Nm sudo
+command) it may be possible for the user to replace the command
+after the digest check has been performed but before the command
+is executed.
 .Ss Defaults
 Certain configuration options may be changed from their default
 values at run-time via one or more