Bug 32790

Summary: sudo new security issue CVE-2023-42465
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, fri, marja11, sysadmin-bugs, tarazed25
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: sudo-1.9.13p2-2.mga9 CVE: CVE-2023-42465
Status comment:

Description Nicolas Salguero 2024-01-30 09:28:28 CET 
Fedora has issued an advisory on January 28:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6XMRUJCPII4MPWG43HTYR76DGLEYEFZ/

Mageia 9 is also affected.
Nicolas Salguero 2024-01-30 09:28:58 CET

Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2023-42465
Source RPM: (none) => sudo-1.9.13p2-2.mga9.src.rpm

Comment 1 Nicolas Salguero 2024-01-30 09:48:47 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit. (CVE-2023-42465)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6XMRUJCPII4MPWG43HTYR76DGLEYEFZ/
========================

Updated packages in core/updates_testing:
========================
sudo-1.9.15p5-1.mga9
sudo-devel-1.9.15p5-1.mga9

from SRPM:
sudo-1.9.15p5-1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 9
Assignee: bugsquad => qa-bugs

Marja Van Waes 2024-01-30 21:19:29 CET

URL: (none) => https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6XMRUJCPII4MPWG43HTYR76DGLEYEFZ/
CC: (none) => marja11

Marja Van Waes 2024-01-30 21:23:52 CET

URL: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6XMRUJCPII4MPWG43HTYR76DGLEYEFZ/ => (none)

Marja Van Waes 2024-01-30 21:27:27 CET

Source RPM: sudo-1.9.13p2-2.mga9.src.rpm => sudo-1.9.13p2-2.mga9

Marja Van Waes 2024-01-30 21:33:24 CET

Keywords: (none) => advisory

Comment 2 Morgan Leijström 2024-01-31 10:38:34 CET 
mga9-64 OK by casual use

CC: (none) => fri

Comment 3 Len Lawrence 2024-02-02 00:44:57 CET 
Mageia9, x86_64

+1
Setting OK for 64-bits.

CC: (none) => tarazed25
Whiteboard: (none) => MGA9-64-OK

Comment 4 Thomas Andrews 2024-02-02 02:32:32 CET 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Mageia Robot 2024-02-04 03:51:15 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2024-0044.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED