CVE-2013-1776

this all revolves around sudo's longstanding use of ttyname() when
using the tty_tickets option. tty_tickets maintains separate timestamps for
each tty and is intended to help prevent ticket reuse. Ubuntu 11.10 started
using tty_tickets by default. The implementation initially relies on the use
of ttyname(), which was not sufficient to stop ticket reuse under some
circumstances. sudo stopped using ttyname() in 1.8.5 and 1.7.10 but had
fallback behavior that continued to use ttyname() up until 1.8.6p6 and
1.7.10p5, where the fallback behavior was removed. sudo 1.8.6p7 and 1.7.10p6
added the session id (sid) to the timestamp file for systems without /proc or
sysctl
The commits to stop using ttyname() and use /proc instead may be
incomplete-- 632f8e028191 for 1.7 and 6b22be4d09f0 for 1.8 are only the
initial commits (ie, refinements and bug fix commits are not listed as of
2013/02/27)
backporting the patches for this longstanding issue to Ubuntu 12.04
LTS and earlier is likely regression-prone and the fix to remove the fallback
and add the session id for 12.10 and 13.04 is not worth a security update.
Marking 12.10 and earlier as ignored and leaving 13.04 as needed since we
can pick up the fix when 1.8.6p7+ is pushed to Ubuntu.
CVE-2013-2776 and CVE-2013-2777 are the same issue but split out
into new CVEs for accounting purposes