Bug 2161142 (CVE-2023-22809)

Summary:	CVE-2023-22809 sudo: arbitrary file write with privileges of the RunAs user
Product:	[Other] Security Response	Reporter:	Sandipan Roy <saroy>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED ERRATA	QA Contact:
Severity:	high	Docs Contact:
Priority:	high
Version:	unspecified	CC:	arachman, chorn, dapospis, enothen, kyoshida, lveyde, michal.skrivanek, mperina, mrehak, rsroka, sbeal, sbonazzo, security-response-team
Target Milestone:	---	Keywords:	Reopened, Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	sudo 1.9.12p2	Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in sudo. Exposure in how sudoedit handles user-provided environment variables leads to arbitrary file writing with privileges of the RunAs user (usually root). The prerequisite for exploitation is that the current user must be authorized by the sudoers policy to edit a file using sudoedit.	Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-02-12 09:39:30 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2161216, 2161217, 2161218, 2161219, 2161220, 2161221, 2161222, 2161223, 2161224, 2161225, 2161268, 2162041, 2162042, 2164759, 2186685, 2186686, 2186687
Bug Blocks:	2160742

Description Sandipan Roy 2023-01-16 05:26:29 UTC

Vulnerability in the way sudoedit handles user-provided environment variables. This leads to arbitrary file write with privileges of the RunAs user (usually root). The prerequisite for exploitation is that the current user must be authorized by the sudoers policy to edit a file using sudoedit. This issue affects all Sudo versions <= 1.9.12p1 and was assigned CVE-2023-22809.

Comment 1 Radovan Sroka 2023-01-16 09:25:59 UTC

Do we have a reproducer?

Comment 6 Zack Miele 2023-01-18 16:34:30 UTC

Created sudo tracking bugs for this issue:

Affects: fedora-36 [bug 2162041]
Affects: fedora-37 [bug 2162042]

Comment 7 errata-xmlrpc 2023-01-23 08:56:45 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:0280 https://access.redhat.com/errata/RHSA-2023:0280

Comment 8 errata-xmlrpc 2023-01-23 08:57:49 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0282 https://access.redhat.com/errata/RHSA-2023:0282

Comment 9 errata-xmlrpc 2023-01-23 09:16:34 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:0283 https://access.redhat.com/errata/RHSA-2023:0283

Comment 10 errata-xmlrpc 2023-01-23 09:17:40 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:0281 https://access.redhat.com/errata/RHSA-2023:0281

Comment 11 errata-xmlrpc 2023-01-23 09:18:11 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0284 https://access.redhat.com/errata/RHSA-2023:0284

Comment 12 errata-xmlrpc 2023-01-23 09:19:15 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:0292 https://access.redhat.com/errata/RHSA-2023:0292

Comment 13 errata-xmlrpc 2023-01-23 09:19:56 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2023:0287 https://access.redhat.com/errata/RHSA-2023:0287

Comment 14 errata-xmlrpc 2023-01-23 09:20:13 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:0293 https://access.redhat.com/errata/RHSA-2023:0293

Comment 15 errata-xmlrpc 2023-01-23 09:22:31 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:0291 https://access.redhat.com/errata/RHSA-2023:0291

Comment 18 Product Security DevOps Team 2023-01-28 17:22:09 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-22809

Comment 30 Product Security DevOps Team 2023-02-12 09:39:27 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-22809

Comment 31 errata-xmlrpc 2023-02-21 10:40:32 UTC

This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2023:0859 https://access.redhat.com/errata/RHSA-2023:0859

Comment 33 errata-xmlrpc 2023-05-23 09:15:23 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support

Via RHSA-2023:3264 https://access.redhat.com/errata/RHSA-2023:3264

Comment 34 errata-xmlrpc 2023-05-23 09:15:48 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support

Via RHSA-2023:3262 https://access.redhat.com/errata/RHSA-2023:3262

Comment 35 errata-xmlrpc 2023-05-23 14:00:31 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support

Via RHSA-2023:3276 https://access.redhat.com/errata/RHSA-2023:3276