[gentoo-announce] [ GLSA 202211-08 ] sudo: Heap-Based Buffer Overread - gentoo-announce

From:	glsamaker@g.o
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 202211-08 ] sudo: Heap-Based Buffer Overread
Date:	Tue, 22 Nov 2022 04:01:55
Message-Id:	`166908917288.9.11816457518043679937@2ac734cbf5a7`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 202211-08

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: sudo: Heap-Based Buffer Overread

9

     Date: November 22, 2022

10

     Bugs: #879209

11

       ID: 202211-08

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A vulnerability has been discovered in sudo which could result in denial

19

of service.

20

21

Background

22

==========

23

24

sudo allows a system administrator to give users the ability to run

25

commands as other users.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package              /     Vulnerable     /            Unaffected

32

    -------------------------------------------------------------------

33

  1  app-admin/sudo             < 1.9.12-r1              >= 1.9.12-r1

34

35

Description

36

===========

37

38

In certain password input handling, sudo incorrectly assumes the

39

password input is at least nine bytes in size, leading to a heap buffer

40

overread.

41

42

Impact

43

======

44

45

In the worst case, the heap buffer overread can result in the denial of

46

service of the sudo process.

47

48

Workaround

49

==========

50

51

There is no known workaround at this time.

52

53

Resolution

54

==========

55

56

All sudo users should upgrade to the latest version:

57

58

  # emerge --sync

59

  # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.9.12-r1"

60

61

References

62

==========

63

64

[ 1 ] CVE-2022-43995

65

      https://nvd.nist.gov/vuln/detail/CVE-2022-43995

66

67

Availability

68

============

69

70

This GLSA and any updates to it are available for viewing at

71

the Gentoo Security Website:

72

73

 https://security.gentoo.org/glsa/202211-08

74

75

Concerns?

76

=========

77

78

Security is a primary focus of Gentoo Linux and ensuring the

79

confidentiality and security of our users' machines is of utmost

80

importance to us. Any security concerns should be addressed to

81

security@g.o or alternatively, you may file a bug at

82

https://bugs.gentoo.org.

83

84

License

85

=======

86

87

Copyright 2022 Gentoo Foundation, Inc; referenced text

88

belongs to its owner(s).

89

90

The contents of this document are licensed under the

91

Creative Commons - Attribution / Share Alike license.

92

93

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 202211-08
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: sudo: Heap-Based Buffer Overread
9	Date: November 22, 2022
10	Bugs: #879209
11	ID: 202211-08
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A vulnerability has been discovered in sudo which could result in denial
19	of service.
20
21	Background
22	==========
23
24	sudo allows a system administrator to give users the ability to run
25	commands as other users.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 app-admin/sudo < 1.9.12-r1 >= 1.9.12-r1
34
35	Description
36	===========
37
38	In certain password input handling, sudo incorrectly assumes the
39	password input is at least nine bytes in size, leading to a heap buffer
40	overread.
41
42	Impact
43	======
44
45	In the worst case, the heap buffer overread can result in the denial of
46	service of the sudo process.
47
48	Workaround
49	==========
50
51	There is no known workaround at this time.
52
53	Resolution
54	==========
55
56	All sudo users should upgrade to the latest version:
57
58	# emerge --sync
59	# emerge --ask --oneshot --verbose ">=app-admin/sudo-1.9.12-r1"
60
61	References
62	==========
63
64	[ 1 ] CVE-2022-43995
65	https://nvd.nist.gov/vuln/detail/CVE-2022-43995
66
67	Availability
68	============
69
70	This GLSA and any updates to it are available for viewing at
71	the Gentoo Security Website:
72
73	https://security.gentoo.org/glsa/202211-08
74
75	Concerns?
76	=========
77
78	Security is a primary focus of Gentoo Linux and ensuring the
79	confidentiality and security of our users' machines is of utmost
80	importance to us. Any security concerns should be addressed to
81	security@g.o or alternatively, you may file a bug at
82	https://bugs.gentoo.org.
83
84	License
85	=======
86
87	Copyright 2022 Gentoo Foundation, Inc; referenced text
88	belongs to its owner(s).
89
90	The contents of this document are licensed under the
91	Creative Commons - Attribution / Share Alike license.
92
93	https://creativecommons.org/licenses/by-sa/2.5