Bug 2139911 (CVE-2022-43995) - CVE-2022-43995 sudo: heap-based overflow with very small passwords
Summary: CVE-2022-43995 sudo: heap-based overflow with very small passwords
Alias: CVE-2022-43995
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 2139600
TreeView+ depends on / blocked
Reported: 2022-11-03 19:33 UTC by Marco Benatto
Modified: 2022-11-07 16:49 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2022-11-04 20:45:25 UTC

Attachments (Terms of Use)

Description Marco Benatto 2022-11-03 19:33:12 UTC
Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to Sudo by entering a password of seven characters or fewer. The impact could vary depending on the compiler and processor architecture.

Comment 4 Marco Benatto 2022-11-04 20:44:10 UTC
Created sudo tracking bugs for this issue:

Affects: fedora-all [bug 2140224]

Note You need to log in before you can comment on or make changes to this bug.