Author Topic: Buffer overflow in sudo  (Read 1198 times)

0 Members and 1 Guest are viewing this topic.

Offline BU508A

  • Super Contributor
  • ***
  • Posts: 3550
  • Country: de
  • Per aspera ad astra
Buffer overflow in sudo
« on: January 27, 2021, 03:25:05 pm »
There is a buffer overflow in sudo. I recommend to update it to the newest version.

https://www.sudo.ws/alerts/unescape_overflow.html
“Chaos is found in greatest abundance wherever order is being sought. It always defeats order, because it is better organized.”            - Terry Pratchett -
 
The following users thanked this post: bill_c

Offline Ed.Kloonk

  • Super Contributor
  • ***
  • Posts: 2297
  • Country: au
Re: Buffer overflow in sudo
« Reply #1 on: February 01, 2021, 08:01:48 am »
There is a buffer overflow in sudo. I recommend to update it to the newest version.

https://www.sudo.ws/alerts/unescape_overflow.html

Or 'do' yourself a favor and run doas instead.

doas gives you root access without all the bloat that is in sudo that has features only for permission maniacs.

 

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 4559
  • Country: au
Re: Buffer overflow in sudo
« Reply #2 on: February 04, 2021, 01:36:38 am »
Why bother changing to a whole new way of doing things when the problem has been fixed?
 

Offline Ed.Kloonk

  • Super Contributor
  • ***
  • Posts: 2297
  • Country: au
Re: Buffer overflow in sudo
« Reply #3 on: February 04, 2021, 02:41:22 am »
Why bother changing to a whole new way of doing things when the problem has been fixed?

Most people just want to elevate to root. Both progs can do it but doas doesn't contain all the bloat that sudo does.

 

Offline Nominal Animal

  • Super Contributor
  • ***
  • Posts: 2886
  • Country: fi
    • My home page and email address
Re: Buffer overflow in sudo
« Reply #4 on: February 04, 2021, 01:29:10 pm »
Why bother changing to a whole new way of doing things when the problem has been fixed?
Most people just want to elevate to root. Both progs can do it but doas doesn't contain all the bloat that sudo does.
It's good for there to be more than one way, and doas has been designed to do almost all that sudo does.  "Just elevate to root" is how many end users use it, but its true purpose is to switch between differently-privileged user accounts.

Unfortunately, it hasn't been packaged for Debian or Debian derivatives yet, and actually needs a bit of work to work with Linux PAM.  Fortunately, OpenDoas seems to be progressing nicely, although I haven't pored through the code myself.

(I've done quite a bit of work wrt. privilege separation via sudo, filesystem capabilities in Linux, and Apache SuEXEC mechanism.  They are rather large hammers for things that often could be done better (more securely and robustly) via other ways...  Just don't get me started on the assumptions of the Apache SuEXEC mechanism and how it propagates a nonsensical view of proper privilege separation for web services.)
 
The following users thanked this post: Ed.Kloonk


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf