2179272 – (CVE-2023-28486) CVE-2023-28486 sudo: Sudo does not escape control characters in log messages

Bug 2179272 (CVE-2023-28486) - CVE-2023-28486 sudo: Sudo does not escape control characters in log messages

Summary: CVE-2023-28486 sudo: Sudo does not escape control characters in log messages

Keywords:
Status:	NEW
Alias:	CVE-2023-28486
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	Red Hat2182148 Red Hat2182149 2179274 2179275
Blocks:	Embargoed2179004
TreeView+	depends on / blocked

Reported:	2023-03-17 07:47 UTC by Sandipan Roy
Modified:	2023-03-27 17:40 UTC (History)
CC List:	2 users (show)
Fixed In Version:	sudo-1.9.13
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the sudo package, shipped with Red Hat Enterprise Linux 8 and 9, where sudo improperly escapes terminal control characters during logging operations. As sudo's log messages may contain user-controlled strings, this may allow an attacker to inject terminal control commands, leading to a leak of restricted information.
Clone Of:
Environment:
Last Closed:

Attachments	(Terms of Use)

Description Sandipan Roy 2023-03-17 07:47:36 UTC

Sudo before 1.9.13 does not escape control characters in log messages.

https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca
https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_13

Comment 1 Sandipan Roy 2023-03-17 07:51:05 UTC

Created sudo tracking bugs for this issue:

Affects: fedora-36 [bug 2179274]
Affects: fedora-37 [bug 2179275]

Note You need to log in before you can comment on or make changes to this bug.