Sudo 1.9.5 has been released today (January 11):
Some issues were detailed here:
but there were also others. We should probably just update it.
Freeze push pending in Cauldron.
Hi, thanks for reporting this.
As there is no maintainer for this package I added the committers in CC.
(Please set the status to 'assigned' if you are working on it)
joequant, mageia, ouaurelien
The updated packages fix security vulnerabilities:
The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path. (CVE-2021-23239)
selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows a local unprivileged user to gain file ownership and escalate privileges by replacing a temporary file with a symlink to an arbitrary file target. This affects SELinux RBAC support in permissive mode. Machines without SELinux are not vulnerable. (CVE-2021-23240)
Updated packages in core/updates_testing:
No installation issues.
Tested for basic functionality. Ran several commands using sudo, some valid some purposely not valid, all performed as expected.
Looks OK. Validating. Advisory in Comment 2.
Advisory pushed to SVN.
An update for this issue has been pushed to the Mageia Updates repository.