Critical security flaw in sudo

greenjeans · 2025-10-08 18:59:43

https://thehackernews.com/2025/09/cisa- … -flaw.html

"Sudo contains an inclusion of functionality from an untrusted control sphere vulnerability," CISA said. "This vulnerability could allow a local attacker to leverage sudo's -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file."

Great, I don't even use sudo and it's STILL a security risk.

golinux · 2025-10-08 19:16:22

Great, I don't even use sudo and it's STILL a security risk.

Me too . . .

Altoid · 2025-10-08 19:44:32

Hello:

greenjeans wrote:

... a security risk.

Yes, it is.

But it is a local privilege escalation and (for now) it only affects sudo 1.9.14 to 1.9.17.

See here: https://gbhackers.com/poc-published-for … e-to-root/

gbhackers.com wrote:

... legacy versions prior to 1.9.14 remain unaffected since the vulnerable chroot feature did not exist in earlier releases.

I wonder what happened to do one thing and do it well?

That said, my up-to-date Devuan Daedalus (and yours) runs 1.9.13p3:

$ apt list | grep installed | grep sudo
--- snip ---
sudo/stable,stable-security,now 1.9.13p3-1+deb12u2 amd64 [installed]
$

So ...
Stay the course, everything wil be back to normal soon.

Best,

A.

Last edited by Altoid (2025-10-08 20:11:19)

golinux · 2025-10-08 20:03:08

@Altoid . . . I did not write that quote. greenjeans did . . . .l;

greenjeans · 2025-10-08 20:06:56

This is what I really like about Altoid, always a voice of reasonableness in a sea of chaos. Cheers buddy!

Altoid · 2025-10-08 20:15:20

Hello:

golinux wrote:

... did not write that quote.

Hmm ....
What'chu talkin' 'bout, Willis?

Oh, right ...
Taken care of.

Best,

A.

golinux · 2025-10-08 20:18:15

Hehehehe . . . maybe more coffee?

Altoid · 2025-10-08 20:23:22

Hello:

greenjeans wrote:

... reasonableness in a sea of chaos.

Nah ...
It was a fluke.

Probably remembered to take the green one this morning.
Or was it the red one? Can't recall.

That said, what's wrong with the proven and reliable chroot that it now has to have such a useful feature?
It never ends, does it?

Best,

A.

fsmithred · 2025-10-08 22:28:52

Fixed in trixie and forky/sid. (i.e. excalibur and freia/ceres) Older versions not affected.
https://security-tracker.debian.org/tra … 2025-32463

(I duck-searched the CVE with the words 'debian security' - first hit.)

stargate-sg1-cheyenne-mtn · 2025-10-09 04:08:54

@All, thanks for the timely rundown. visited the webpage @fsmithred linked and figured while i had the tab open i would slip in a little xkcd enjoyment...

so

enjoy

keyword(s): sudo make me a sandwich & santa claus naughty list

greenjeans · 2025-10-09 14:50:36

^^ I literally have a T-shirt with the sudo make me a sandwich cartoon on it, found it in a secondhand store years ago.

zapper · 2025-10-10 05:34:07

I prefer doas myself to be honest. It is much less complicated but still has the functionality I need in sudo/su.

I use that even on devuan/gnuinos

With jwmkit combined with doas, I can shutdown properly or poweroff properly.

I cannot make heads or tails on how to do the same thing with sudo lol. There is just too much to sort out in that sudoers file

xD

Last edited by zapper (2025-10-12 08:17:55)

blackhole · 2025-10-16 07:47:44

These were fixed back in June: https://git.sudo.ws/sudo/commit/?id=23aff2b37

To add some much needed perspective:

https://www.cvedetails.com/vendor/15714/
https://www.cvedetails.com/vendor/33/Linux.html

Yet none here seem concerned about running the Linux kernel...

Last edited by blackhole (2025-10-16 08:13:30)

zapper · Today 04:53:15

@blackhole I suppose that could be a risk as well.

Truthfully, most software has vulnerabilities unless it doesn't connect to something that doesn't do anything online.

Although I suppose it could be more indirect than that.

The officially official Devuan Forum!

#1 2025-10-08 18:59:43

Critical security flaw in sudo

#2 2025-10-08 19:16:22

Re: Critical security flaw in sudo

#3 2025-10-08 19:44:32

Re: Critical security flaw in sudo

#4 2025-10-08 20:03:08

Re: Critical security flaw in sudo

#5 2025-10-08 20:06:56

Re: Critical security flaw in sudo

#6 2025-10-08 20:15:20

Re: Critical security flaw in sudo

#7 2025-10-08 20:18:15

Re: Critical security flaw in sudo

#8 2025-10-08 20:23:22

Re: Critical security flaw in sudo

#9 2025-10-08 22:28:52

Re: Critical security flaw in sudo

#10 2025-10-09 04:08:54

Re: Critical security flaw in sudo

#11 2025-10-09 14:50:36

Re: Critical security flaw in sudo

#12 2025-10-10 05:34:07

Re: Critical security flaw in sudo

#13 2025-10-16 07:47:44

Re: Critical security flaw in sudo

#14 Today 04:53:15

Re: Critical security flaw in sudo

Board footer