Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <cc507107186fdcc6@millert.dev>
Date: Mon, 06 Nov 2023 10:59:06 -0700
From: "Todd C. Miller" <Todd.Miller@...o.ws>
To: oss-security@...ts.openwall.com
Subject: Re: Session File Relative Path Traversal in sudo-rs

On Mon, 06 Nov 2023 16:53:27 +0100, Jakub Wilk wrote:

> The original sudo implementation is affected too:
> https://github.com/sudo-project/sudo/commit/7363ad7b3230b7b0
>
> https://ferrous-systems.com/blog/sudo-rs-audit/ says it's "a lower 
> security severity due to [sudo's] use of the openat function", but I 
> can't see how openat() would help.

That is correct, openat() does not prevent opening a relative (or
absolute) pathname.  Sudo 1.9.15, released today, includes the
commit you reference above.

I consider this to be very low impact as it requires the ability
to create a user with a name that would be treated as an absolute
or relative pathname.

 - todd

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.