2414679 – (CVE-2025-64170) CVE-2025-64170 sudo-rs: sudo-rs: Partial password reveal is possible after timeout

Bug 2414679 (CVE-2025-64170) - CVE-2025-64170 sudo-rs: sudo-rs: Partial password reveal is possible after timeout

Summary: CVE-2025-64170 sudo-rs: sudo-rs: Partial password reveal is possible after ti...

Keywords:
Status:	NEW
Alias:	CVE-2025-64170
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2414748 2414749 2414750
Blocks:
TreeView+	depends on / blocked

Reported:	2025-11-12 21:01 UTC by OSIDB Bzimport
Modified:	2025-11-12 23:23 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-11-12 21:01:59 UTC

sudo-rs is a memory safe implementation of sudo and su written in Rust. Starting in version 0.2.7 and prior to version 0.2.10, if a user begins entering a password but does not press return for an extended period, a password timeout may occur. When this happens, the keystrokes that were entered are echoed back to the console. This could reveal partial password information, possibly exposing history files when not carefully handled by the user and on screen, usable for Social Engineering or Pass-By attacks. Version 0.2.10 fixes the issue.

Note You need to log in before you can comment on or make changes to this bug.