Critical security flaw in sudo

greenjeans · 2025-10-08 18:59:43

https://thehackernews.com/2025/09/cisa- … -flaw.html

"Sudo contains an inclusion of functionality from an untrusted control sphere vulnerability," CISA said. "This vulnerability could allow a local attacker to leverage sudo's -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file."

Great, I don't even use sudo and it's STILL a security risk.

golinux · 2025-10-08 19:16:22

Great, I don't even use sudo and it's STILL a security risk.

Me too . . .

Altoid · 2025-10-08 19:44:32

Hello:

greenjeans wrote:

... a security risk.

Yes, it is.

But it is a local privilege escalation and (for now) it only affects sudo 1.9.14 to 1.9.17.

See here: https://gbhackers.com/poc-published-for … e-to-root/

gbhackers.com wrote:

... legacy versions prior to 1.9.14 remain unaffected since the vulnerable chroot feature did not exist in earlier releases.

I wonder what happened to do one thing and do it well?

That said, my up-to-date Devuan Daedalus (and yours) runs 1.9.13p3:

$ apt list | grep installed | grep sudo
--- snip ---
sudo/stable,stable-security,now 1.9.13p3-1+deb12u2 amd64 [installed]
$

So ...
Stay the course, everything wil be back to normal soon.

Best,

A.

Last edited by Altoid (2025-10-08 20:11:19)

golinux · 2025-10-08 20:03:08

@Altoid . . . I did not write that quote. greenjeans did . . . .l;

greenjeans · 2025-10-08 20:06:56

This is what I really like about Altoid, always a voice of reasonableness in a sea of chaos. Cheers buddy!

Altoid · 2025-10-08 20:15:20

Hello:

golinux wrote:

... did not write that quote.

Hmm ....
What'chu talkin' 'bout, Willis?

Oh, right ...
Taken care of.

Best,

A.

golinux · 2025-10-08 20:18:15

Hehehehe . . . maybe more coffee?

Altoid · 2025-10-08 20:23:22

Hello:

greenjeans wrote:

... reasonableness in a sea of chaos.

Nah ...
It was a fluke.

Probably remembered to take the green one this morning.
Or was it the red one? Can't recall.

That said, what's wrong with the proven and reliable chroot that it now has to have such a useful feature?
It never ends, does it?

Best,

A.

fsmithred · 2025-10-08 22:28:52

Fixed in trixie and forky/sid. (i.e. excalibur and freia/ceres) Older versions not affected.
https://security-tracker.debian.org/tra … 2025-32463

(I duck-searched the CVE with the words 'debian security' - first hit.)

stargate-sg1-cheyenne-mtn · 2025-10-09 04:08:54

@All, thanks for the timely rundown. visited the webpage @fsmithred linked and figured while i had the tab open i would slip in a little xkcd enjoyment...

so

enjoy

keyword(s): sudo make me a sandwich & santa claus naughty list

greenjeans · 2025-10-09 14:50:36

^^ I literally have a T-shirt with the sudo make me a sandwich cartoon on it, found it in a secondhand store years ago.

zapper · Yesterday 05:34:07

I prefer doas myself to be honest. It is much less complicated but still has the functionality I need in sudo/su.

I use that even on devuan/gnuinos

The officially official Devuan Forum!

#1 2025-10-08 18:59:43

Critical security flaw in sudo

#2 2025-10-08 19:16:22

Re: Critical security flaw in sudo

#3 2025-10-08 19:44:32

Re: Critical security flaw in sudo

#4 2025-10-08 20:03:08

Re: Critical security flaw in sudo

#5 2025-10-08 20:06:56

Re: Critical security flaw in sudo

#6 2025-10-08 20:15:20

Re: Critical security flaw in sudo

#7 2025-10-08 20:18:15

Re: Critical security flaw in sudo

#8 2025-10-08 20:23:22

Re: Critical security flaw in sudo

#9 2025-10-08 22:28:52

Re: Critical security flaw in sudo

#10 2025-10-09 04:08:54

Re: Critical security flaw in sudo

#11 2025-10-09 14:50:36

Re: Critical security flaw in sudo

#12 Yesterday 05:34:07

Re: Critical security flaw in sudo

Board footer