(text/plain) Sudo version 1.9.12p2 is now available which fixes several bugs in sudo 1.9.12. It includes a fix for CVE-2023-22809, a bug that could allow a user with "sudoedit" privileges to edit arbitrary files. See https://www.sudo.ws/security/advisories/sudoedit_any/ for details. Source: https://www.sudo.ws/dist/sudo-1.9.12p2.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.12p2.tar.gz SHA256 checksum: b9a0b1ae0f1ddd9be7f3eafe70be05ee81f572f6f536632c44cd4101bb2a8539 MD5 checksum: 2c67b10f2aca4698eef0491142653382 Binary packages: https://www.sudo.ws/getting/packages/ https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_12p2 For a list of download mirror sites, see: https://www.sudo.ws/getting/download_mirrors/ Sudo web site: https://www.sudo.ws/ Major changes between sudo 1.9.12p2 and 1.9.12p1: * Fixed a compilation error on Linux/aarch64. GitHub issue #197. * Fixed a potential crash introduced in the fix for GitHub issue #134. If a user's sudoers entry did not have any RunAs user's set, running "sudo -U otheruser -l" would dereference a NULL pointer. * Fixed a bug introduced in sudo 1.9.12 that could prevent sudo from creating a I/O files when the "iolog_file" sudoers setting contains six or more Xs. * Fixed CVE-2023-22809, a flaw in sudo's -e option (aka sudoedit) that coud allow a malicious user with sudoedit privileges to edit arbitrary files.
Created attachment 239559 [details] Update to 1.9.12p2 Added patch now that I know the PR number, in case maintainer passes it back to me to commit.
Bump to "Affects Many People" because of CVE-2023-22809, which allows uses of sudoedit to edit arbitrary files.
Approved. Thanks!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=8f8bd813f3139d6f6ff35704808111c4ad1f053a commit 8f8bd813f3139d6f6ff35704808111c4ad1f053a Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2023-01-18 16:20:58 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2023-01-18 17:08:35 +0000 security/sudo: Update to 1.9.12p2 Major changes between sudo 1.9.12p2 and 1.9.12p1: * Fixed a compilation error on Linux/aarch64. GitHub issue #197. * Fixed a potential crash introduced in the fix for GitHub issue #134. If a user's sudoers entry did not have any RunAs user's set, running "sudo -U otheruser -l" would dereference a NULL pointer. * Fixed a bug introduced in sudo 1.9.12 that could prevent sudo from creating a I/O files when the "iolog_file" sudoers setting contains six or more Xs. * Fixed CVE-2023-22809, a flaw in sudo's -e option (aka sudoedit) that coud allow a malicious user with sudoedit privileges to edit arbitrary files. PR: 269030 Submitted by: cy Reported by: cy Approved by: garga MFH: 2023Q1 Security: CVE-2023-22809 security/sudo/Makefile | 2 +- security/sudo/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)
A commit in branch 2023Q1 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=e4b0eefa183226d3d6cb8be568a5a3aa586c12b9 commit e4b0eefa183226d3d6cb8be568a5a3aa586c12b9 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2023-01-18 16:20:58 +0000 Commit: Renato Botelho <garga@FreeBSD.org> CommitDate: 2023-01-18 20:15:38 +0000 security/sudo: Update to 1.9.12p2 Major changes between sudo 1.9.12p2 and 1.9.12p1: * Fixed a compilation error on Linux/aarch64. GitHub issue #197. * Fixed a potential crash introduced in the fix for GitHub issue #134. If a user's sudoers entry did not have any RunAs user's set, running "sudo -U otheruser -l" would dereference a NULL pointer. * Fixed a bug introduced in sudo 1.9.12 that could prevent sudo from creating a I/O files when the "iolog_file" sudoers setting contains six or more Xs. * Fixed CVE-2023-22809, a flaw in sudo's -e option (aka sudoedit) that coud allow a malicious user with sudoedit privileges to edit arbitrary files. PR: 269030 Submitted by: cy Reported by: cy Approved by: garga MFH: 2023Q1 Security: CVE-2023-22809 (cherry picked from commit 8f8bd813f3139d6f6ff35704808111c4ad1f053a) security/sudo/Makefile | 2 +- security/sudo/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)
Fixed.
Thanks, should there be a VuXML entry? 22 counted at <https://www.freshports.org/vuxml.php?package=sudo>, not including CVE-2023-22809.