Check out our Monthly Survey Page to see what our users are running.
We do often include affiliate links to earn us some pennies. See more here.

It was pointed out to me recently in the GamingOnLinux Discord, that the sudo package recently had a security flaw, so time to check for updates.

The sudo package is what's responsible for giving certain users or user groups the ability to run some (or all) commands as root or another user. A pretty important package, and of course one that needs to be secure. Nothing is perfect though of course, and security issues being reported and then fixed is a good thing.

Going by the US NVD (National Vulnerability Database) entry for it, they classed it as a High level issue. As described:

In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.

Giving that it needs a local attack, it does limit what people can do with it but still a good reminder to ensure your systems are up to date eh?

So if you're on at least sudo 1.9.12p2 you're good to go. Although, some distributions like Ubuntu use slightly different versioning so if you're on Ubuntu you should have 1.9.11p3. Fedora seems up to date too, but checking on System76's Pop!_OS it's only reporting sudo 1.9.9 for example (Edit: but as pointed out in comments, it has the patch as it's based on an older Ubuntu).

You can read a little more on it here.

Article taken from GamingOnLinux.com.
Tags: Security, Misc
25 Likes
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly checked on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly. You can also follow my personal adventures on Bluesky.
See more from me
The comments on this article are closed.
All posts need to follow our rules. For users logged in: please hit the Report Flag icon on any post that breaks the rules or contains illegal / harmful content. Guest readers can email us for any issues.
11 comments

☆ Promoted Comments
Full Comments
Liam Dawe Feb 15, 2023
Thanks for the reminder on it, good tip. Nice to see older releases are up to date too :)
Lachu Feb 15, 2023
I do not understood. Could not sudo copy sudoers to allow editing it, setting special sudo users privileges, run editor on this privileges and replace edited file onto /etc/sudoers?
Contrib Feb 15, 2023
I do not understood. Could not sudo copy sudoers to allow editing it, setting special sudo users privileges, run editor on this privileges and replace edited file onto /etc/sudoers?

That’s what’s bad about this one. Sudo already has a process like what you described, but the command is supposed to check whether you should be allowed to.

This bug allows a malicious user to escape the check and get sudo to help them modify arbitrary files regardless of permission.
BlackBloodRum Feb 15, 2023
  • Supporter Plus
Again?! That was fast after the last one way back in January! (this year) I can rule out my laptop at least as that's currently in progress of upgrading to Fedora 38


Giving that it needs a local attack, it does limit what people can do with it
This is the wrong way to look at local attacks. Hear me out.

So let's say you've got a local exploit in Application A, for sake of argument I'll say Application A is sudo in this case. Now we know that application cannot be attacked remotely right?

Well not necessarily. If you also have a non-sandboxed Application B, say a web browser that happens to also have a vulnerability. If an attacker is able to get access to your local account via Application B, the web browser in this case, they can now proceed to perform a local attack on sudo, gaining root on your system.

Another method may be a pirated game, or a game from Itch.io which happens to contain some nasty code which may also try to attack your sudo.

Remember, a proper attack on a system is taking different vulnerabilities and putting them together to get as much access as possible. So local attack or not, it should still be treated with concern and patched as soon as possible.
Mezron Feb 15, 2023
View PC info
  • Supporter
Thanks, Liam! Wish I could donate more than I do to ya! Cheers!
scaine Feb 15, 2023
View PC info
  • Contributing Editor
  • Mega Supporter
This is the wrong way to look at local attacks. Hear me out.

No, that's exactly the right way to look at a local attack - as Liam notes in the article, you should still patch it, but a local attack absolutely is limited in how it can affect your system. A second attack is needed to chain to this one.

The messaging couldn't be clearer in the article.

Of course, not really saying you're wrong... just that you're repeating the same message.
pageround Feb 15, 2023
View PC info
  • Supporter
You can check your version with sudo -V
Reminder: don't forget to update any hosts or systems you don't often get into.
F.Ultra Feb 16, 2023
View PC info
  • Supporter
For Ubuntu fixed packages for this was released on 2023-01-16, more info: https://ubuntu.com/security/CVE-2023-22809

Red Hat released patched versions on 2023-01-23, https://access.redhat.com/security/cve/CVE-2023-22809

Debian released patched versions on 2023-01-23, https://security-tracker.debian.org/tracker/CVE-2023-22809

I could not find any info for Arch on https://security.archlinux.org/ but it looks from their package database that they released patched versions around 2023-02-10, 2023-02-15

Most others probably follow the releases above as they usually are based on Debian or Ubuntu.
BlackBloodRum Feb 17, 2023
  • Supporter Plus
This is the wrong way to look at local attacks. Hear me out.

No, that's exactly the right way to look at a local attack - as Liam notes in the article, you should still patch it, but a local attack absolutely is limited in how it can affect your system. A second attack is needed to chain to this one.

The messaging couldn't be clearer in the article.

Of course, not really saying you're wrong... just that you're repeating the same message.
Note: Before I write this post, I should mention I'm about half a bottle of rum down.. so don't expect it to be entirely coherent!

To be clear, I'm not in disagreement here.

While the view of "you need to chain it" is true. You have to consider that in relation to GOL users, that's not such a hard task since most readers are probably using Linux as a desktop (as in user, not laptop vs desktop etc). This means chained attacks are the most likely in any situation.

The security implications are much more significant when you consider it from a user perspective. As a server? Sure it's in most cases not a big deal and would be difficult to exploit.

As a desktop user? well it could be exploited easily.

We should not forget that most users are using the software from a "I download this game, I think it's safe" perspective. What that means is, they are trusting the game to run legit code that doesn't try to exploit another binary. But the fact remains we can't be sure of this, particularly with proprietary software.

I used itch.io as an example previously, not because it's a bad store, but rather from my understanding it generally promotes developers uploading their own binaries without checking the binaries the user downloads for potential issues. This in itself is a potential threat to the user if said developer is not the most ethical of people.

As a desktop user, every day we perform actions we hope won't attack our system, whether it's downloading a game, a music file or just browsing a website. All of these, could lead to an attack on a vulnerable sudo if it is not updated.

Thus I feel my point stands, local only attack or not - it should be patched ASAP.

(Thankfully we're heading to more sandboxing, which makes most of these points moot, thankfully!)
axelb Feb 17, 2023
Debian released patched versions on 2023-01-23, https://security-tracker.debian.org/tracker/CVE-2023-22809

I could not find any info for Arch on https://security.archlinux.org/ but it looks from their package database that they released patched versions around 2023-02-10, 2023-02-15
Well, Debian announced the availability of updated packages on January 18: https://www.debian.org/security/2023/dsa-5321 and if I am interpreting this correctly, then Arch released 1.9.12p2 also on January 18: https://github.com/archlinux/svntogit-packages/commits/packages/sudo/trunk

For everyone interested in keeping track of security related package updates there is (at least for Debian) a mailing list you can subscribe to: https://lists.debian.org/debian-security-announce/


Last edited by axelb on 17 February 2023 at 10:51 pm UTC
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
The comments on this article are closed.