Security update for sudo SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0244-1 Final 1 1 2020-02-25T09:29:12Z current 2020-02-25T09:29:12Z 2020-02-25T09:29:12Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for sudo This update for sudo fixes the following issues: Security issue fixed: - CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202). Non-security issue fixed: - Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-244 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4CUEBOEARZZHY5H3SPMWGMTOGOV3N2QV/ E-Mail link for openSUSE-SU-2020:0244-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1162202 SUSE Bug 1162202 https://bugzilla.suse.com/1162675 SUSE Bug 1162675 https://www.suse.com/security/cve/CVE-2019-18634/ SUSE CVE CVE-2019-18634 page openSUSE Leap 15.1 sudo-1.8.22-lp151.5.6.1 sudo-devel-1.8.22-lp151.5.6.1 sudo-test-1.8.22-lp151.5.6.1 sudo-1.8.22-lp151.5.6.1 as a component of openSUSE Leap 15.1 sudo-devel-1.8.22-lp151.5.6.1 as a component of openSUSE Leap 15.1 sudo-test-1.8.22-lp151.5.6.1 as a component of openSUSE Leap 15.1 In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c. CVE-2019-18634 openSUSE Leap 15.1:sudo-1.8.22-lp151.5.6.1 openSUSE Leap 15.1:sudo-devel-1.8.22-lp151.5.6.1 openSUSE Leap 15.1:sudo-test-1.8.22-lp151.5.6.1 critical 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4CUEBOEARZZHY5H3SPMWGMTOGOV3N2QV/ https://www.suse.com/security/cve/CVE-2019-18634.html CVE-2019-18634 https://bugzilla.suse.com/1162202 SUSE Bug 1162202