Bug 2374693 (CVE-2025-32463) - CVE-2025-32463 sudo: LPE via chroot option [NEEDINFO]
Summary: CVE-2025-32463 sudo: LPE via chroot option
Keywords:
Status: NEW
Alias: CVE-2025-32463
Deadline: 2025-06-30
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-06-24 21:27 UTC by OSIDB Bzimport
Modified: 2025-10-07 19:15 UTC (History)
15 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:
yatian.liu.98: needinfo? (security-response-team)

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:11537 0 None None None 2025-07-22 14:22:45 UTC

Description OSIDB Bzimport 2025-06-24 21:27:30 UTC 
An attacker can leverage sudo's `-R` (`--chroot`) option to run arbitrary commands as root, even if they are not listed in the sudoers file. Sudo versions 1.9.14 to 1.9.17 inclusive are affected.
Comment 2 yatian.liu.98 2025-07-03 01:35:07 UTC 
The sudo versions in Fedora 41, 42, and Rawhide are all 1.9.15, which is an affected version. Since this security issue has high severity, could the latest sudo version be packed as soon as possible?
Comment 3 Fanky W 2025-07-04 12:01:53 UTC 
The sudo's chroot feature should be removed asap
Comment 4 Michal Ambroz 2025-07-04 12:08:16 UTC 
There is public PoC for this vulnerability.

https://github.com/pr0v3rbs/CVE-2025-32463_chwoot
https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot

Works like charm on Fedora 41
Comment 5 Fanky W 2025-07-04 13:04:47 UTC 
(In reply to Michal Ambroz from comment #4)
> There is public PoC for this vulnerability.
> 
> https://github.com/pr0v3rbs/CVE-2025-32463_chwoot
> https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot
> 
> Works like charm on Fedora 41

But the sudo in RHEL9 (1.9.5p2) actually support chroot and reponse correctly with this kind of malicious library files in the directory. It prints " you are not permitted to use the -R option with woot"
How come the problematic code slip into the RHEL10 release?
Comment 6 Paul Wouters 2025-07-07 20:47:30 UTC 
note that upstream didn't properly document it, but 1.9.17pl1 fixes both CVE-2025-32462 and CVE-2025-32463
Comment 7 errata-xmlrpc 2025-07-22 14:22:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:11537 https://access.redhat.com/errata/RHSA-2025:11537
Comment 8 Gordon Piper 2025-07-26 04:21:12 UTC 
(In reply to Fanky W from comment #5)
> (In reply to Michal Ambroz from comment #4)
> > There is public PoC for this vulnerability.
> > 
> > https://yoplay.io https://github.com/pr0v3rbs/CVE-2025-32463_chwoot 
> > https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot
> > 
> > Works like charm on Fedora 41
> 
> But the sudo in RHEL9 (1.9.5p2) actually support chroot and reponse
> correctly with this kind of malicious library files in the directory. It
> prints " you are not permitted to use the -R option with woot"
> How come the problematic code slip into the RHEL10 release?

Link ID: Red Hat Product Errata RHSA-2025:11538
Note You need to log in before you can comment on or make changes to this bug.