It was pointed out to me recently in the GamingOnLinux Discord, that the sudo package recently had a security flaw, so time to check for updates.
The sudo package is what's responsible for giving certain users or user groups the ability to run some (or all) commands as root or another user. A pretty important package, and of course one that needs to be secure. Nothing is perfect though of course, and security issues being reported and then fixed is a good thing.
Going by the US NVD (National Vulnerability Database) entry for it, they classed it as a High level issue. As described:
In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.
Giving that it needs a local attack, it does limit what people can do with it but still a good reminder to ensure your systems are up to date eh?
So if you're on at least sudo 1.9.12p2 you're good to go. Although, some distributions like Ubuntu use slightly different versioning so if you're on Ubuntu you should have 1.9.11p3. Fedora seems up to date too, but checking on System76's Pop!_OS it's only reporting sudo 1.9.9 for example (Edit: but as pointed out in comments, it has the patch as it's based on an older Ubuntu).
You can read a little more on it here.
Quoting: F.UltraDebian released patched versions on 2023-01-23, https://security-tracker.debian.org/tracker/CVE-2023-22809Well, Debian announced the availability of updated packages on January 18: https://www.debian.org/security/2023/dsa-5321 and if I am interpreting this correctly, then Arch released 1.9.12p2 also on January 18: https://github.com/archlinux/svntogit-packages/commits/packages/sudo/trunk
I could not find any info for Arch on https://security.archlinux.org/ but it looks from their package database that they released patched versions around 2023-02-10, 2023-02-15
For everyone interested in keeping track of security related package updates there is (at least for Debian) a mailing list you can subscribe to: https://lists.debian.org/debian-security-announce/
Last edited by axelb on 17 February 2023 at 10:51 pm UTC
See more from me