Date: Wed, 27 Jan 2021 09:33:40 +0100 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: Re: Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156) Hi, Just sharing a few thoughts and things I read elsewhere: complexity ========== The top comment on lobste.rs points out that a problem of sudo is complexity: https://lobste.rs/s/efsvqu/heap_based_buffer_overflow_sudo_cve_2021#c_c6fcfa I think that's a very fair point. Also it seems the development trend in sudo is to actually increase complexity even more and adding all kinds of features that really should not be part of a suid tool, see e.g. https://computingforgeeks.com/better-secure-new-sudo-release/ The lobste.rs poster points to doas, which seems to be a much simpler alternative coming from OpenBSD, a portable version exists: https://github.com/Duncaen/OpenDoas testing ======= Top commenter at HN points out that there's a lack of testing in sudo: https://news.ycombinator.com/item?id=25921811 Neither the commit that introduced this bug nor the commit that fixed it contained a test. Fair point again. Here doas does not compare well: It does not seem to come with a test suite at all. -- Hanno Böck https://hboeck.de/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.