Bug 2179273 (CVE-2023-28487)
| Summary: | CVE-2023-28487 sudo: Sudo does not escape control characters in sudoreplay output | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sandipan Roy <saroy> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | dapospis, rsroka |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | sudo-1.9.13 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the sudo package, shipped with Red Hat Enterprise Linux 8 and 9, where the "sudoreplay -l' command improperly escapes terminal control characters. As sudo's log messages may contain user-controlled strings, this could allow an attacker to inject terminal control commands, leading to a leak of restricted information.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2179276, 2179277, 2182152, 2182153 | ||
| Bug Blocks: | 2179004 | ||
|
Description
Sandipan Roy
2023-03-17 07:50:03 UTC
Created sudo tracking bugs for this issue: Affects: fedora-36 [bug 2179276] Affects: fedora-37 [bug 2179277] This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Red Hat Enterprise Linux 8.8 Extended Update Support Red Hat Enterprise Linux 9.0 Extended Update Support Red Hat Enterprise Linux 9.2 Extended Update Support Red Hat Enterprise Linux 9 Red Hat Enterprise Linux 8 Via RHSA-2024:0811 https://access.redhat.com/errata/RHSA-2024:0811 |