SUSE has issued an advisory today (November 7): https://lists.suse.com/pipermail/sle-security-updates/2022-November/012820.html The issue is fixed upstream in 1.9.12p1: https://www.sudo.ws/releases/stable/#1.9.12p1
Status comment: (none) => Fixed upstream in 1.9.12p1
David has already put v1.9.12p1 in Cauldron, so this is just to apply to M8. Assigning globally, no one packager in sight.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to Sudo by entering a password of seven characters or fewer. The impact could vary depending on the system libraries, compiler, and processor architecture. (CVE-2022-43995) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43995 https://lists.suse.com/pipermail/sle-security-updates/2022-November/012820.html https://www.sudo.ws/releases/stable/#1.9.12p1 ======================== Updated packages in core/updates_testing: ======================== sudo-1.9.5p2-2.1.mga8 sudo-devel-1.9.5p2-2.1.mga8 from SRPM: sudo-1.9.5p2-2.1.mga8.src.rpm
CVE: (none) => CVE-2022-43995Status: NEW => ASSIGNEDStatus comment: Fixed upstream in 1.9.12p1 => (none)Assignee: pkg-bugs => qa-bugsCC: (none) => nicolas.salguero
I'm not a big fan of sudo, so I tested this in a Vbox MGA8-64 Plasma guest, rather than take a chance of messing up one of my "real" systems. Sudo was already installed, so I set it up using the instructions from the wiki page, https://wiki.mageia.org/en/Configuring_sudo Ran a few commands, and it seemed to be working as designed. Using qarepo, I downloaded and installed the updates with no issues. Again ran some commands, and again it seemed to be working as designed. Giving this an OK and validating. Advisory in comment 2.
Whiteboard: (none) => MGA8-64-OKCC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0426.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED