StarlingX

[Debian] CVE: CVE-2023-22809: sudo: allowing a local attacker to append arbitrary entries

Bug #2020726 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Unassigned

Bug Description

CVE-2023-22809: https://nvd.nist.gov/vuln/detail/CVE-2023-22809

Base Score: High

In Sudo before 1.9.12p2, the sudoedit  feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim – /path/to/extra/file' value.

References:

['sudo-ldap_1.9.5p2-3_amd64.deb===>sudo-ldap_1.9.5p2-3+deb11u1_amd64.deb']

https://www.debian.org/security/2023/dsa-5321

CVE References

Yue Tao (wrytao)
Changed in starlingx:
importance: Undecided → High
status: New → Triaged
tags: added: stx.9.0 stx.security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/884800

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/884800
Committed: https://opendev.org/starlingx/tools/commit/650983e22b2b7148fabbb1caf1c22923c6abe406
Submitter: "Zuul (22348)"
Branch: master

commit 650983e22b2b7148fabbb1caf1c22923c6abe406
Author: Haiqing Bai <email address hidden>
Date: Wed May 31 10:10:10 2023 +0800

    sudo: fix CVE-2023-22809

    Upgrade sudo-ldap to 1.9.5p2-3+deb11u1

    Refer to:
    https://security-tracker.debian.org/tracker/CVE-2023-22809

    Test Plan:
    Pass: downloader -b
    Pass: build-pkgs --clean
    Pass: build-image
    Pass: Jenkins Installation
    PASS: dpkg -l | grep sudo-ldap
          ii sudo-ldap 1.9.5p2-3+deb11u1

    Closes-Bug: 2020726

    Change-Id: Id079bad9f68bfc247c78b04061e4e85785dc154b
    Signed-off-by: Haiqing Bai <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.