#44965 – (sudo) уязвимость (CVE-2023-22809)

Bug 44965 (sudo) - уязвимость (CVE-2023-22809)

Summary: уязвимость (CVE-2023-22809)

Status:	CLOSED FIXED

Alias:	sudo

Product:	Sisyphus
Classification:	Development
Component:	sudo (show other bugs)
Version:	unstable
Hardware:	x86_64 Linux

Importance:	P5 blocker
Assignee:	Evgeny Sinelnikov
QA Contact:	qa-sisyphus

URL:	https://www.opennet.ru/opennews/art.s...
Keywords:

Depends on:
Blocks:

Reported:	2023-01-19 11:22 MSK by Алексей
Modified:	2023-01-22 20:48 MSK (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Алексей 2023-01-19 11:22:51 MSK

Уязвимость проявляется начиная с ветки 1.8.0 и устранена в корректирующем обновлении sudo 1.9.12p2

https://www.opennet.ru/opennews/art.shtml?num=58507

Comment 1 Alexander Makeenkov 2023-01-19 11:55:58 MSK

Для начала нужно обновить в сизифе.

Comment 2 Алексей 2023-01-19 13:17:56 MSK

Простите больше не мешаю

Comment 3 Repository Robot 2023-01-22 20:48:55 MSK

sudo-1:1.9.12p2-alt1 -> sisyphus:

 Sun Jan 22 2023 Evgeny Sinelnikov <sin@altlinux> 1:1.9.12p2-alt1
 - Update to latest stable bugfix and security release (closes: 44965).
 - Fixed a compilation error on Linux/aarch64 (GitHub#197).
 - Fixed a potential crash introduced in the fix for (GitHub#134):
  + If a user's sudoers entry did not have any RunAs user's set, running
    "sudo -U otheruser -l" would dereference a NULL pointer.
 - Fixed a bug introduced in sudo 1.9.12 that could prevent sudo from creating
   a I/O files when the "iolog_file" sudoers setting contains six or more Xs.
 - Fixed security issue (fixes: CVE-2023-22809), a flaw in sudo's -e option (aka
   sudoedit) that could allow a malicious user with sudoedit privileges to edit
   arbitrary files.