This patch will upgrade Sudo version 1.8.6 patchlevel 6 to Sudo
version 1.8.6 patchlevel 7.  To apply:

    $ cd sudo-1.8.6p6
    $ patch -p1 < sudo-1.8.6p7.patch

diff -urNa sudo-1.8.6p6/ChangeLog sudo-1.8.6p7/ChangeLog
--- sudo-1.8.6p6/ChangeLog	Thu Jan 31 16:13:11 2013
+++ sudo-1.8.6p7/ChangeLog	Mon Feb 25 15:09:12 2013
@@ -1,3 +1,31 @@
+2013-02-25  Todd C. Miller  <Todd.Miller@courtesan.com>
+
+	* plugins/sudoers/check.c:
+	Completely ignore time stamp file if it is set to the epoch,
+	regardless of what gettimeofday() returns.
+	[ebd6cc75020f]
+
+	* plugins/sudoers/check.c, plugins/sudoers/sudoers.c,
+	plugins/sudoers/sudoers.h:
+	Store the session ID in the tty ticket file too. A tty may only be
+	in one session at a time so if the session ID doesn't match we
+	ignore the ticket.
+	[049a12a5cc14]
+
+	* configure, configure.in:
+	Sudo 1.8.6p7
+	[3334bc872111]
+
+	* NEWS:
+	Update for Sudo 1.8.6p7
+	[3b853ddc529c]
+
+2013-02-11  Todd C. Miller  <Todd.Miller@courtesan.com>
+
+	* NEWS:
+	Add Sudo 1.8.6p7
+	[77480be0f378]
+
 2013-01-31  Todd C. Miller  <Todd.Miller@courtesan.com>
 
 	* NEWS:
diff -urNa sudo-1.8.6p6/NEWS sudo-1.8.6p7/NEWS
--- sudo-1.8.6p6/NEWS	Thu Jan 31 16:07:25 2013
+++ sudo-1.8.6p7/NEWS	Mon Feb 25 14:47:17 2013
@@ -1,3 +1,17 @@
+What's new in Sudo 1.8.6p7?
+
+ * A time stamp file with the date set to the epoch by "sudo -k"
+   is now completely ignored regardless of what the local clock is
+   set to.  Previously, if the local clock was set to a value between
+   the epoch and the time stamp timeout value, a time stamp reset
+   by "sudo -k" would be considered current.
+
+ * The tty-specific time stamp file now includes the session ID
+   of the sudo process that created it.  If a process with the same
+   tty but a different session ID runs sudo, the user will now be
+   prompted for a password (assuming authentication is required for
+   the command).
+
 What's new in Sudo 1.8.6p6?
 
  * On systems where the controlling tty can be determined via /proc
@@ -91,7 +105,7 @@
    ldap.conf options.  A new ldap.conf option, TLS_KEYPW can be
    used to specify a password to decrypt the key database.
 
- * When constructing a time filter for use with LDAP sudoNotBefore    
+ * When constructing a time filter for use with LDAP sudoNotBefore
    and sudoNotAfter attributes, the current time now includes tenths
    of a second.  This fixes a problem with timed entries on Active
    Directory.
@@ -357,7 +371,7 @@
 
  * Fixed a crash in the monitor process on Solaris when NOPASSWD
    was specified or when authentication was disabled.
- 
+
  * Fixed matching of a Runas_Alias in the group section of a
    Runas_Spec.
 
diff -urNa sudo-1.8.6p6/configure sudo-1.8.6p7/configure
--- sudo-1.8.6p6/configure	Thu Jan 31 16:07:43 2013
+++ sudo-1.8.6p7/configure	Mon Feb 25 14:48:02 2013
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.68 for sudo 1.8.6p6.
+# Generated by GNU Autoconf 2.68 for sudo 1.8.6p7.
 #
 # Report bugs to <http://www.sudo.ws/bugs/>.
 #
@@ -570,8 +570,8 @@
 # Identity of this package.
 PACKAGE_NAME='sudo'
 PACKAGE_TARNAME='sudo'
-PACKAGE_VERSION='1.8.6p6'
-PACKAGE_STRING='sudo 1.8.6p6'
+PACKAGE_VERSION='1.8.6p7'
+PACKAGE_STRING='sudo 1.8.6p7'
 PACKAGE_BUGREPORT='http://www.sudo.ws/bugs/'
 PACKAGE_URL=''
 
@@ -1470,7 +1470,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures sudo 1.8.6p6 to adapt to many kinds of systems.
+\`configure' configures sudo 1.8.6p7 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1535,7 +1535,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of sudo 1.8.6p6:";;
+     short | recursive ) echo "Configuration of sudo 1.8.6p7:";;
    esac
   cat <<\_ACEOF
 
@@ -1761,7 +1761,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-sudo configure 1.8.6p6
+sudo configure 1.8.6p7
 generated by GNU Autoconf 2.68
 
 Copyright (C) 2010 Free Software Foundation, Inc.
@@ -2465,7 +2465,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by sudo $as_me 1.8.6p6, which was
+It was created by sudo $as_me 1.8.6p7, which was
 generated by GNU Autoconf 2.68.  Invocation command line was
 
   $ $0 $@
@@ -21596,7 +21596,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by sudo $as_me 1.8.6p6, which was
+This file was extended by sudo $as_me 1.8.6p7, which was
 generated by GNU Autoconf 2.68.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -21662,7 +21662,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-sudo config.status 1.8.6p6
+sudo config.status 1.8.6p7
 configured by $0, generated by GNU Autoconf 2.68,
   with options \\"\$ac_cs_config\\"
 
diff -urNa sudo-1.8.6p6/configure.in sudo-1.8.6p7/configure.in
--- sudo-1.8.6p6/configure.in	Thu Jan 31 16:07:32 2013
+++ sudo-1.8.6p7/configure.in	Mon Feb 25 14:47:48 2013
@@ -3,7 +3,7 @@
 dnl
 dnl Copyright (c) 1994-1996,1998-2013 Todd C. Miller <Todd.Miller@courtesan.com>
 dnl
-AC_INIT([sudo], [1.8.6p6], [http://www.sudo.ws/bugs/], [sudo])
+AC_INIT([sudo], [1.8.6p7], [http://www.sudo.ws/bugs/], [sudo])
 AC_CONFIG_HEADER([config.h pathnames.h])
 dnl
 dnl Note: this must come after AC_INIT
diff -urNa sudo-1.8.6p6/plugins/sudoers/check.c sudo-1.8.6p7/plugins/sudoers/check.c
--- sudo-1.8.6p6/plugins/sudoers/check.c	Tue Sep 18 09:56:29 2012
+++ sudo-1.8.6p7/plugins/sudoers/check.c	Mon Feb 25 14:49:32 2013
@@ -82,6 +82,7 @@
     dev_t rdev;			/* tty device ID */
     ino_t ino;			/* tty inode number */
     struct timeval ctime;	/* tty inode change time */
+    pid_t sid;			/* ID of session with controlling tty */
 } tty_info;
 
 static int   build_timestamp(char **, char **);
@@ -138,13 +139,14 @@
     if (ISSET(mode, MODE_IGNORE_TICKET))
 	SET(validated, FLAG_CHECK_USER);
 
-    /* Stash the tty's ctime for tty ticket comparison. */
+    /* Stash the tty's device, session ID and ctime for ticket comparison. */
     if (def_tty_tickets && user_ttypath && stat(user_ttypath, &sb) == 0) {
 	tty_info.dev = sb.st_dev;
 	tty_info.ino = sb.st_ino;
 	tty_info.rdev = sb.st_rdev;
 	if (tty_is_devpts(user_ttypath))
 	    ctim_get(&sb, &tty_info.ctime);
+	tty_info.sid = user_sid;
     }
 
     if (build_timestamp(&timestampdir, &timestampfile) == -1) {
@@ -627,31 +629,34 @@
      */
     if (status == TS_OLD && !ISSET(flags, TS_REMOVE)) {
 	mtim_get(&sb, &mtime);
-	/* Negative timeouts only expire manually (sudo -k). */
-	if (def_timestamp_timeout < 0 && mtime.tv_sec != 0)
-	    status = TS_CURRENT;
-	else {
-	    now = time(NULL);
-	    if (def_timestamp_timeout &&
-		now - mtime.tv_sec < 60 * def_timestamp_timeout) {
-		/*
-		 * Check for bogus time on the stampfile.  The clock may
-		 * have been set back or someone could be trying to spoof us.
-		 */
-		if (mtime.tv_sec > now + 60 * def_timestamp_timeout * 2) {
-		    time_t tv_sec = (time_t)mtime.tv_sec;
-		    log_error(0,
-			_("timestamp too far in the future: %20.20s"),
-			4 + ctime(&tv_sec));
-		    if (timestampfile)
-			(void) unlink(timestampfile);
-		    else
-			(void) rmdir(timestampdir);
-		    status = TS_MISSING;
-		} else if (get_boottime(&boottime) && timevalcmp(&mtime, &boottime, <)) {
-		    status = TS_OLD;
-		} else {
-		    status = TS_CURRENT;
+	if (timevalisset(&mtime)) {
+	    /* Negative timeouts only expire manually (sudo -k). */
+	    if (def_timestamp_timeout < 0) {
+		status = TS_CURRENT;
+	    } else {
+		now = time(NULL);
+		if (def_timestamp_timeout &&
+		    now - mtime.tv_sec < 60 * def_timestamp_timeout) {
+		    /*
+		     * Check for bogus time on the stampfile.  The clock may
+		     * have been set back or user could be trying to spoof us.
+		     */
+		    if (mtime.tv_sec > now + 60 * def_timestamp_timeout * 2) {
+			time_t tv_sec = (time_t)mtime.tv_sec;
+			log_error(0,
+			    _("timestamp too far in the future: %20.20s"),
+			    4 + ctime(&tv_sec));
+			if (timestampfile)
+			    (void) unlink(timestampfile);
+			else
+			    (void) rmdir(timestampdir);
+			status = TS_MISSING;
+		    } else if (get_boottime(&boottime) &&
+			timevalcmp(&mtime, &boottime, <)) {
+			status = TS_OLD;
+		    } else {
+			status = TS_CURRENT;
+		    }
 		}
 	    }
 	}
diff -urNa sudo-1.8.6p6/plugins/sudoers/sudoers.c sudo-1.8.6p7/plugins/sudoers/sudoers.c
--- sudo-1.8.6p6/plugins/sudoers/sudoers.c	Thu Jan  3 14:03:21 2013
+++ sudo-1.8.6p7/plugins/sudoers/sudoers.c	Mon Feb 25 14:49:09 2013
@@ -1410,6 +1410,10 @@
 	    sudo_user.cols = atoi(*cur + sizeof("cols=") - 1);
 	    continue;
 	}
+	if (MATCHES(*cur, "sid=")) {
+	    sudo_user.sid = atoi(*cur + sizeof("sid=") - 1);
+	    continue;
+	}
     }
     if (user_cwd == NULL)
 	user_cwd = "unknown";
diff -urNa sudo-1.8.6p6/plugins/sudoers/sudoers.h sudo-1.8.6p7/plugins/sudoers/sudoers.h
--- sudo-1.8.6p6/plugins/sudoers/sudoers.h	Thu Jan  3 13:57:41 2013
+++ sudo-1.8.6p7/plugins/sudoers/sudoers.h	Mon Feb 25 14:49:09 2013
@@ -95,6 +95,7 @@
     int   flags;
     uid_t uid;
     uid_t gid;
+    pid_t sid;
 };
 
 /*
@@ -171,8 +172,8 @@
 #define user_name		(sudo_user.name)
 #define user_uid		(sudo_user.uid)
 #define user_gid		(sudo_user.gid)
+#define user_sid		(sudo_user.sid)
 #define user_passwd		(sudo_user.pw->pw_passwd)
-#define user_uuid		(sudo_user.uuid)
 #define user_dir		(sudo_user.pw->pw_dir)
 #define user_gids		(sudo_user.gids)
 #define user_ngids		(sudo_user.ngids)