Sudo
GitHub Blog Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
Double free with per-command chroot sudoers rules
A flaw exists in sudo’s per-command chroot feature that could result in the variable that stores the command being freed more than once. Sudo versions affected: Sudo versions 1.9.8 through 1.9.13p1 inclusive are affected. Versions of sudo prior to 1.9.8 are not affected. CVE ID: This vulnerability has been assigned CVE-2023-27320 in the Common Vulnerabilities and Exposures database. Details: Starting with Sudo 1.9.3, it is possible to specify an alternate root directory that sudo will change to before executing the command. ...
Sudoedit can edit arbitrary files
A flaw in exists in sudo’s -e option (aka sudoedit) that allows a malicious user with sudoedit privileges to edit arbitrary files. Sudo versions affected: Sudo versions 1.8.0 through 1.9.12p1 inclusive are affected. Versions of sudo prior to 1.8.0 construct the argument vector differently and are not affected. CVE ID: This vulnerability has been assigned CVE-2023-22809 in the Common Vulnerabilities and Exposures database. Details: When invoked as sudo -e or sudoedit, sudo can be used to edit privileged files while running the editor as an unprivileged user. ...
Buffer overflow in command line unescaping
A serious heap-based buffer overflow has been discovered in sudo that is exploitable by any local user. It has been given the name Baron Samedit by its discoverer. The bug can be leveraged to elevate privileges to root, even if the user is not listed in the sudoers file. User authentication is not required to exploit the bug. Sudo versions affected: Sudo versions 1.7.7 through 1.7.10p9, 1.8.2 through 1.8.31p2, and 1. ...
Symbolic link attack in SELinux-enabled sudoedit
On systems where SELinux is enabled, sudo’s RBAC support allows a command to be run with a user-specified role and/or type. In order to transition to the target SELinux security context, sudo runs the command through the sesh helper program. When sudo is invoked as sudoedit, sesh is used to first create the editor temporary files with the proper security context and then, once the editor has run, to copy the edited temporary files to their original locations. ...
Buffer overflow when pwfeedback is set in sudoers
Sudo’s pwfeedback option can be used to provide visual feedback when the user is inputting their password. For each key press, an asterisk is printed. This option was added in response to user confusion over how the standard Password: prompt disables the echoing of key presses. While pwfeedback is not enabled by default in the upstream version of sudo, some systems, such as Linux Mint and Elementary OS, do enable it in their default sudoers files. ...
Potential bypass of Runas user restrictions
When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295. This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification. ...
Potential file overwrite or tty access on Linux
On Linux systems, sudo parses the /proc/[pid]/stat file to determine the device number of the process’s tty (field 7). The fields in the file are space-delimited, but it is possible for the command name (field 2) to include white space (including newline), which sudo does not account for. A user with sudo privileges can cause sudo to use a device number of the user’s choosing by creating a symbolic link from the sudo binary to a name that contains white space followed by a number. ...
Potential bypass of sudo_noexec.so on Linux
A flaw exists in sudo’s noexec functionality that may allow a user with sudo privileges to run additional commands even when the NOEXEC tag has been applied to a command that uses either the system() or popen() functions. Sudo versions affected: 1.6.8 through 1.8.14p3 inclusive. CVE ID: This vulnerability has been assigned CVE-2016-7032 in the Common Vulnerabilities and Exposures database. Details: Sudo supports an optional setting to prevent the command being executed from executing further commands. ...
Potential bypass of sudo_noexec.so via wordexp()
A flaw exists in sudo’s noexec functionality that may allow a user with sudo privileges to run additional commands even when the NOEXEC tag has been applied to a command that uses the wordexp() function. Sudo versions affected: 1.6.8 through 1.8.18 inclusive. CVE ID: This vulnerability has been assigned CVE-2016-7076 in the Common Vulnerabilities and Exposures database. Details: Sudo supports an optional setting to prevent the command being executed from executing further commands. ...
Arbitrary file access via TZ environment variable
Prior to sudo 1.8.12, the TZ environment variable was passed through unchecked. Most libc tzset() implementations support passing an absolute pathname in the time zone to point to an arbitrary, user-controlled file. This may be used to exploit bugs in the C library’s TZ parser or open files the user would not otherwise have access to. Arbitrary file access via TZ could also be used in a denial of service attack by reading from a file or fifo that will block. ...