Bug 2179272 (CVE-2023-28486)
| Summary: | CVE-2023-28486 sudo: Sudo does not escape control characters in log messages | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sandipan Roy <saroy> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | dapospis, rsroka |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | sudo-1.9.13 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the sudo package, shipped with Red Hat Enterprise Linux 8 and 9, where sudo improperly escapes terminal control characters during logging operations. As sudo's log messages may contain user-controlled strings, this may allow an attacker to inject terminal control commands, leading to a leak of restricted information.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2179274, 2179275, 2182148, 2182149 | ||
| Bug Blocks: | 2179004 | ||
|
Description
Sandipan Roy
2023-03-17 07:47:36 UTC
Created sudo tracking bugs for this issue: Affects: fedora-36 [bug 2179274] Affects: fedora-37 [bug 2179275] This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Red Hat Enterprise Linux 8.8 Extended Update Support Red Hat Enterprise Linux 9.0 Extended Update Support Red Hat Enterprise Linux 9.2 Extended Update Support Red Hat Enterprise Linux 9 Red Hat Enterprise Linux 8 Via RHSA-2024:0811 https://access.redhat.com/errata/RHSA-2024:0811 |