oss-sec mailing list archives
Session File Relative Path Traversal in sudo-rs
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Thu, 2 Nov 2023 11:40:04 -0700
[I'm not involved with this project or disclosure, but saw it go by and thought it worth mentioning here.] https://github.com/memorysafety/sudo-rs/security/advisories/GHSA-2r3c-m6v7-9354 discloses CVE-2023-42456 in versions 0.2.0 & older of the Rust rewrite of sudo. This vulnerability requires two pre-conditions: 1) Your OS allows usernames containing both '.' and '/' characters. 2) Your site allows users to create usernames containing both '.' and '/' characters, with no process or manual review that denies such things. If both are true, when sudo-rs created a filename containing the username, it failed to escape the characters, letting them be interpreted by the filesystem as references to higher level directories ('/../..' etc.) I don't know how many OS'es meet requirement 1, nor how many sites meet requirement 2, but it appears the sudo-rs security auditors were able to convince the developers that the numbers were not provably zero for both. If those numbers are non-zero, then I have to imagine there's also a non-zero number of other programs with similar bugs when creating files with usernames in. -- -Alan Coopersmith- alan.coopersmith () oracle com Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Current thread:
- Session File Relative Path Traversal in sudo-rs Alan Coopersmith (Nov 02)