Session File Relative Path Traversal in sudo-rs

[Alan Coopersmith <alan.coopersmith () oracle com>]

[I'm not involved with this project or disclosure, but saw it go by and
 thought it worth mentioning here.]

https://github.com/memorysafety/sudo-rs/security/advisories/GHSA-2r3c-m6v7-9354
discloses CVE-2023-42456 in versions 0.2.0 & older of the Rust rewrite of sudo.

This vulnerability requires two pre-conditions:

1) Your OS allows usernames containing both '.' and '/' characters.

2) Your site allows users to create usernames containing both '.' and '/'
   characters, with no process or manual review that denies such things.

If both are true, when sudo-rs created a filename containing the username,
it failed to escape the characters, letting them be interpreted by the
filesystem as references to higher level directories ('/../..' etc.)

I don't know how many OS'es meet requirement 1, nor how many sites meet
requirement 2, but it appears the sudo-rs security auditors were able to
convince the developers that the numbers were not provably zero for both.

If those numbers are non-zero, then I have to imagine there's also a non-zero
number of other programs with similar bugs when creating files with usernames
in.

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris