Advisories ยป MGASA-2023-0025

Updated sudo packages fix security vulnerability

Publication date: 24 Jan 2023
Type: security
Affected Mageia releases : 8
CVE: CVE-2023-22809


In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra
arguments passed in the user-provided environment variables (SUDO_EDITOR,
VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries
to the list of files to process. This can lead to privilege escalation.
Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because
a user-specified editor may contain a "--" argument that defeats a
protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file'
value. (CVE-2023-22809)