1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202211-08 ] sudo: Heap-Based Buffer Overread

    From glsamaker@gentoo.org@21:1/5 to All on Tue Nov 22 05:10:01 2022
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202211-08
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: Normal
    Title: sudo: Heap-Based Buffer Overread
    Date: November 22, 2022
    Bugs: #879209
    ID: 202211-08

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been discovered in sudo which could result in denial
    of service.

    Background
    ==========

    sudo allows a system administrator to give users the ability to run
    commands as other users.

    Affected packages
    =================

    -------------------------------------------------------------------
    Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
    1 app-admin/sudo < 1.9.12-r1 >= 1.9.12-r1

    Description
    ===========

    In certain password input handling, sudo incorrectly assumes the
    password input is at least nine bytes in size, leading to a heap buffer overread.

    Impact
    ======

    In the worst case, the heap buffer overread can result in the denial of
    service of the sudo process.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All sudo users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.9.12-r1"

    References
    ==========

    [ 1 ] CVE-2022-43995
    https://nvd.nist.gov/vuln/detail/CVE-2022-43995

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202211-08

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2022 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmN8R5QACgkQFMQkOaVy +9lZTw//a62Bx8TrBOYkc9/O9eyZgJRLGmTifu+eLLe0t+T4hufDxf3PSu4eI9j+ UyFjSb1ps8gB9QFyqKEIQw08hsjoE176BQbgEpGjjdnQSaAoHmEqTj1pADkxVgwM MMvr1ybK9VyNUqWfiFcDIqNrnPaPIoRfTG/d5vO1FY5NaCySUQ0tNwgComGXxlMb Os6ZoTKKyakw+Alcqn8j0MUTGLohyjPDx4njUpwQJdz+SNj75Dm7chQ8ulLKXcU/ 2+AKyYpnwtTVKhUChnoP/1jqAV1w2jmzajziPB0Xr86Da4aND5nHGKpl1af7OQBi m1KP6woHlF/wCDCO09xINB3oPeSrX28mu/oQdTTCuhdfrmYBTasUsdFOxwGIhjM5 /qK6eOZEOyDltHVd8yJLcYxQyCp0+h8LlF8wsAUQCdCvntIZ+khvOEVCuEICIbDk 5LU5//R5lJSF0wvF+ouhEHsRkAMEUddCbAW66xKpvnHo3cVMV2b5X1M4dx8X2nzh WmhrV2/R4v8LpjrAJs0d4/Mvs32d26UXLN3Qcw2l80WaBjYrtkc8JNfbS/aA3XUP RDaV+dEvcYjq4oCTMlcG/l+hmTBas7YXQWkjO4wRAn6lVdfrEzN00O/4Y4j1MP0W ens1MtDBDPIRGFUfAl4Wf8TH1y5OVpRyHQTW0LRTaQ7axlTQxu4=
    =VcEL
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)