34409 – sudo new security issues CVE-2025-3246[23]

Bug 34409 - sudo new security issues CVE-2025-3246[23]

Summary: sudo new security issues CVE-2025-3246[23]

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	QA Team

URL:
Whiteboard:	MGA9-32-OK MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-07-01 09:18 CEST by Nicolas Salguero
Modified:	2025-07-25 23:49 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	sudo-1.9.15p5-3.mga10.src.rpm, sudo-1.9.15p5-1.mga9.src.rpm
CVE:	CVE-2025-32462, CVE-2025-32463
Status comment:	Fixed upstream in 1.9.17p1

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-07-01 09:18:13 CEST

CVE-2025-32462: https://www.openwall.com/lists/oss-security/2025/06/30/2
CVE-2025-32463: https://www.openwall.com/lists/oss-security/2025/06/30/3

Nicolas Salguero 2025-07-01 09:19:02 CEST

CVE: (none) => CVE-2025-32462, CVE-2025-32463
Whiteboard: (none) => MGA9TOO
Status comment: (none) => Fixed upstream in 1.9.17p1
Source RPM: (none) => sudo-1.9.15p5-3.mga10.src.rpm, sudo-1.9.15p5-1.mga9.src.rpm

Comment 1 Nicolas Salguero 2025-07-01 13:31:15 CEST

Debian has issued an advisory on June 30:
https://lists.debian.org/debian-security-announce/2025/msg00118.html

Comment 2 Nicolas Salguero 2025-07-02 15:55:21 CEST

For Cauldron, sudo-1.9.17p1-1.mga10 solved the issues.

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)

Comment 3 Marja Van Waes 2025-07-05 19:48:59 CEST

No registered maitainer, so assigning to all

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 4 Dan Fandrich 2025-07-24 05:51:13 CEST

sudo-1.9.15p5-1.1 is available in 9/updates_testing.

Suggested advisory:

CVE-2025-32462 - Sudo before 1.9.17p1, when used with a sudoers file that
specifies a host that is neither the current host nor ALL, allows listed
users to execute commands on unintended machines

CVE-2025-32463 - Sudo before 1.9.17p1 allows local users to obtain root
access because "/etc/nsswitch.conf" from a user-controlled directory is
used with the --chroot option.

References:

https://thehackernews.com/2025/07/critical-sudo-vulnerabilities-let-local.html

RPMS
sudo-1.9.15p5-1.1.mga9
sudo-devel-1.9.15p5-1.1.mga9

SRPMS
sudo-1.9.15p5-1.1.mga9.src.rpm

QA Contact: security => qa-bugs
Status: NEW => ASSIGNED
CC: (none) => dan

Dan Fandrich 2025-07-24 06:12:04 CEST

Assignee: pkg-bugs => qa-bugs

katnatek 2025-07-25 00:43:59 CEST

Keywords: (none) => advisory

Comment 5 Brian Rockwell 2025-07-25 03:30:37 CEST

MGA9-64, Mate, VirtualBox

installed sudo update

Jul 24 20:13:31 vbox [RPM][2652]: erase sudo-1:1.9.15p5-1.mga9.x86_64: success
Jul 24 20:13:31 vbox [RPM][2652]: install sudo-1:1.9.15p5-1.1.mga9.x86_64: success


Added my user to Wheel group via Mageia Control Center and logged out and back in.

I am now able to:

sudo miscellaneous commands including journalctl.

sudo su
sudo journalctl

CC: (none) => brtians1

Comment 6 Brian Rockwell 2025-07-25 04:14:55 CEST

MGA9-32, Mate, VirtualBox

The following package is going to be installed:

- sudo-1.9.15p5-1.1.mga9.i586

----logged out and back in

working as expected

Whiteboard: (none) => MGA9-32-OK

Comment 7 Thomas Andrews 2025-07-25 15:35:16 CEST

Adding the 64-bit OK based on comment 5. Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: MGA9-32-OK => MGA9-32-OK MGA9-64-OK

Comment 8 Mageia Robot 2025-07-25 23:49:14 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0213.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.