Don't want to see articles from a certain category? When logged in, go to your User Settings and adjust your feed in the Content Preferences section where you can block tags!
We do often include affiliate links to earn us some pennies. See more here.

You may want to run system updates, after a recent sudo security flaw

By - | Views: 28,899

It was pointed out to me recently in the GamingOnLinux Discord, that the sudo package recently had a security flaw, so time to check for updates.

The sudo package is what's responsible for giving certain users or user groups the ability to run some (or all) commands as root or another user. A pretty important package, and of course one that needs to be secure. Nothing is perfect though of course, and security issues being reported and then fixed is a good thing.

Going by the US NVD (National Vulnerability Database) entry for it, they classed it as a High level issue. As described:

In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.

Giving that it needs a local attack, it does limit what people can do with it but still a good reminder to ensure your systems are up to date eh?

So if you're on at least sudo 1.9.12p2 you're good to go. Although, some distributions like Ubuntu use slightly different versioning so if you're on Ubuntu you should have 1.9.11p3. Fedora seems up to date too, but checking on System76's Pop!_OS it's only reporting sudo 1.9.9 for example (Edit: but as pointed out in comments, it has the patch as it's based on an older Ubuntu).

You can read a little more on it here.

Article taken from GamingOnLinux.com.
Tags: Security, Misc
25 Likes
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly came back to check on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly. Find me on Mastodon.
See more from me
Some you may have missed, popular articles from the last month:
The comments on this article are closed.
11 comments
Page: «2/2
  Go to:

axelb Feb 17, 2023
View PC info
Quoting: F.UltraDebian released patched versions on 2023-01-23, https://security-tracker.debian.org/tracker/CVE-2023-22809

I could not find any info for Arch on https://security.archlinux.org/ but it looks from their package database that they released patched versions around 2023-02-10, 2023-02-15
Well, Debian announced the availability of updated packages on January 18: https://www.debian.org/security/2023/dsa-5321 and if I am interpreting this correctly, then Arch released 1.9.12p2 also on January 18: https://github.com/archlinux/svntogit-packages/commits/packages/sudo/trunk

For everyone interested in keeping track of security related package updates there is (at least for Debian) a mailing list you can subscribe to: https://lists.debian.org/debian-security-announce/


Last edited by axelb on 17 February 2023 at 10:51 pm UTC
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
The comments on this article are closed.
★ Support Us
Popular this week
Search or view by category
Contact
Latest Comments
Latest Forum Posts
Misc