Bug 31738

Summary: sudo new security issues CVE-2023-2848[67]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, marja11, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: sudo-1.9.5p2-2.2.mga8.src.rpm CVE:
Status comment:

Description David Walser 2023-03-30 22:51:31 CEST 
SUSE has issued an advisory on March 29:
https://lists.suse.com/pipermail/sle-security-updates/2023-March/014226.html

The issues are fixed upstream in 1.9.13.
David Walser 2023-03-30 22:51:46 CEST

Status comment: (none) => Fixed upstream in 1.9.13

Comment 1 Marja Van Waes 2023-04-02 11:00:41 CEST 
Theres no registered maintainer for this package. Assigning to all packagers collectively.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2023-04-07 09:55:31 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Sudo before 1.9.13 does not escape control characters in log messages. (CVE-2023-28486)

Sudo before 1.9.13 does not escape control characters in sudoreplay output. (CVE-2023-28487)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28486
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28487
https://lists.suse.com/pipermail/sle-security-updates/2023-March/014226.html
========================

Updated packages in core/updates_testing:
========================
sudo-1.9.5p2-2.3.mga8
sudo-devel-1.9.5p2-2.3.mga8

from SRPM:
sudo-1.9.5p2-2.3.mga8.src.rpm

CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 1.9.13 => (none)
Status: NEW => ASSIGNED

Comment 3 Thomas Andrews 2023-04-11 00:36:06 CEST 
Tested in a VirtualBox mga8-64 Plasma guest.

I used the instructions on our wiki to set up sudo operation, then tried it out on a few harmless commands to make sure the configuration was good. Used qarepo to update, then tried a few more harmless commands, with no issues to report.

Giving this an OK, and validating. Advisory in comment 2.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-04-11 01:01:23 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Mageia Robot 2023-04-11 21:03:47 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0133.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED