Reported to Bugtraq on Jul02 that pam_timestamp_check can be used to gain privileges if a local attacker can create a file in /var/run/sudo. The file contents are not checked so any tmp file creation vulnerabilty can be used to create such a file. A solution would be to check for some particular content in the ticket file (as any vulnerability that allows arbitrary contents to be written to arbitrary files has greater security implications).
Just to clarify this issue: what the reporter found is that if you can find a temporary file creation vulnerability which lets a user create an arbitrary named file as root (for an example see http://rhn.redhat.com/errata/RHSA-2003-039.html) then you can utilise the issue found in the pam_timestamp_check module to gain root privileges.
*** Bug 98651 has been marked as a duplicate of this bug. ***
We're working on an update where a key is created when first needed and stored in the /var/run/sudo files along with the timestamp (so the file timestamp also does not need to be trusted).
This is somewhat related to bug #99058 (userhelper needs 'remember password' box)
*** Bug 104641 has been marked as a duplicate of this bug. ***
*** Bug 98650 has been marked as a duplicate of this bug. ***
This is already fixed in current releases.