31089 – sudo new security issue CVE-2022-43995

Bug 31089 - sudo new security issue CVE-2022-43995

Summary: sudo new security issue CVE-2022-43995

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-11-07 21:08 CET by David Walser
Modified:	2022-11-17 16:46 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	sudo-1.9.5p2-2.mga8.src.rpm
CVE:	CVE-2022-43995
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-11-07 21:08:53 CET

SUSE has issued an advisory today (November 7):
https://lists.suse.com/pipermail/sle-security-updates/2022-November/012820.html

The issue is fixed upstream in 1.9.12p1:
https://www.sudo.ws/releases/stable/#1.9.12p1

David Walser 2022-11-07 21:16:23 CET

Status comment: (none) => Fixed upstream in 1.9.12p1

Comment 1 Lewis Smith 2022-11-07 21:29:31 CET

David has already put v1.9.12p1 in Cauldron, so this is just to apply to M8.
Assigning globally, no one packager in sight.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2022-11-08 10:04:47 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to Sudo by entering a password of seven characters or fewer. The impact could vary depending on the system libraries, compiler, and processor architecture. (CVE-2022-43995)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43995
https://lists.suse.com/pipermail/sle-security-updates/2022-November/012820.html
https://www.sudo.ws/releases/stable/#1.9.12p1
========================

Updated packages in core/updates_testing:
========================
sudo-1.9.5p2-2.1.mga8
sudo-devel-1.9.5p2-2.1.mga8

from SRPM:
sudo-1.9.5p2-2.1.mga8.src.rpm

CVE: (none) => CVE-2022-43995
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 1.9.12p1 => (none)
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero

Comment 3 Thomas Andrews 2022-11-16 20:27:42 CET

I'm not a big fan of sudo, so I tested this in a Vbox MGA8-64 Plasma guest, rather than take a chance of messing up one of my "real" systems.

Sudo was already installed, so I set it up using the instructions from the wiki page, https://wiki.mageia.org/en/Configuring_sudo 

Ran a few commands, and it seemed to be working as designed.

Using qarepo, I downloaded and installed the updates with no issues. Again ran some commands, and again it seemed to be working as designed.

Giving this an OK and validating. Advisory in comment 2.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-11-17 03:53:07 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2022-11-17 16:46:54 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0426.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.