Security issues discovered in sudo-rs

https://lists.debian.org/debian-security-announce/2025/msg00218.html

24•kahlonel•2mo ago

Comments

portmanteaufu•2mo ago

To save everyone a click, the text is:

""" Two security issues were discovered in sudo-rs, a Rust-based implemention of sudo (and su), which could result in the local disclosure of partially typed passwords or an authentication bypass in some targetpw/rootpw configurations.

For the stable distribution (trixie), this problem has been fixed in version 0.2.5-5+deb13u1.

We recommend that you upgrade your rust-sudo-rs packages. """

wiz21c•2mo ago

as far as i can see, it's just programming errors, nothing to do with rust.

_flux•2mo ago

Everything to do with reimplementing sudo, though.

But sudo has its share of CVEs as well (latest CVE-2025-32463), so perhaps a fresh look on the tool is warranted; perhaps some learnings have been taken from it.

noobermin•2mo ago

I think if rust was used to replace other bits (say things like utilities like grep or whatever) instead of security vital things like sudo, there would be less complaints.

_flux•2mo ago

Do you mean like uutils/coreutils.. Which certainly collects complaints :).

noobermin•2mo ago

No doubt. I'm just guessing people would grumble less.

ciupicri•2mo ago

A fresh look would be perhaps doas [1] from the OpenBSD project.

[1]: https://man.openbsd.org/doas.1

_flux•2mo ago

sudo-rs tries to be more or less a drop-in replacement for the original one, though, meaning minimal reconfiguration should be required for it.

never_inline•2mo ago

Do they have test suite comparable to that of original sudo, or can they reuse the test suite of original sudo?

egorfine•2mo ago

Same could be said about many of the real sudo bugs, but that argument doesn't stick with rust fanboys.

(Obligatory disclaimer: I love rust, I hate fanboys and rewrites)

_flux•2mo ago

What were the actual fixes like?

thw_9a83c•2mo ago

There is a link to github commit in the "Notes" section for each CVE [1].

[1]: https://security-tracker.debian.org/tracker/source-package/r...

_flux•2mo ago

Well, doesn't seem the issue would have been avoidable other than with "harder thinking" or better testing or something like that.

Maybe model checkers could be used, but perhaps the search space is too large for all the featuers, and keeping the source in sync with the model could be quite fragile. And who knows, maybe the model would have the same issue.

whatevaa•2mo ago

Sudo is overcomplicated and since this is a drop-in replacement, it inherits all the complexities.

m4rtink•2mo ago

But memory safety!

A Night Without the Nerds – Claude Opus 4.6, Field-Tested

Could ionospheric disturbances influence earthquakes?

SpaceX's next astronaut launch for NASA is officially on for Feb. 11 as FAA clea

Show HN: One-click AI employee with its own cloud desktop

Show HN: Poddley – Search podcasts by who's speaking

Same Surface, Different Weight

The Rise of Spec Driven Development

The first good Raspberry Pi Laptop

Seas to Rise Around the World – But Not in Greenland

Will Future Generations Think We're Gross?

State Department will delete Xitter posts from before Trump returned to office

Show HN: Verifiable server roundtrip demo for a decision interruption system

Impl Rust – Avro IDL Tool in Rust via Antlr

Stories from 25 Years of Software Development

minikeyvalue

Neomacs: GPU-accelerated Emacs with inline video, WebKit, and terminal via wgpu

Show HN: Moli P2P – An ephemeral, serverless image gallery (Rust and WebRTC)

How I grow my X presence?

What's the cost of the most expensive Super Bowl ad slot?

What if you just did a startup instead?

Hacking up your own shell completion (2020)

Show HN: Gorse 0.5 – Open-source recommender system with visual workflow editor

GLM-OCR: Accurate × Fast × Comprehensive

Local Agent Bench: Test 11 small LLMs on tool-calling judgment, on CPU, no GPU

Show HN: AboutMyProject – A public log for developer proof-of-work

Expertise, AI and Work of Future [video]

So Long to Cheap Books You Could Fit in Your Pocket

PID Controller

SpaceX Rocket Generates 100GW of Power, or 20% of US Electricity

Kubernetes MCP Server

A Night Without the Nerds – Claude Opus 4.6, Field-Tested

Could ionospheric disturbances influence earthquakes?

SpaceX's next astronaut launch for NASA is officially on for Feb. 11 as FAA clea

Show HN: One-click AI employee with its own cloud desktop

Show HN: Poddley – Search podcasts by who's speaking

Same Surface, Different Weight

The Rise of Spec Driven Development

The first good Raspberry Pi Laptop

Seas to Rise Around the World – But Not in Greenland

Will Future Generations Think We're Gross?

State Department will delete Xitter posts from before Trump returned to office

Show HN: Verifiable server roundtrip demo for a decision interruption system

Impl Rust – Avro IDL Tool in Rust via Antlr

Stories from 25 Years of Software Development

minikeyvalue

Neomacs: GPU-accelerated Emacs with inline video, WebKit, and terminal via wgpu

Show HN: Moli P2P – An ephemeral, serverless image gallery (Rust and WebRTC)

How I grow my X presence?

What's the cost of the most expensive Super Bowl ad slot?

What if you just did a startup instead?

Hacking up your own shell completion (2020)

Show HN: Gorse 0.5 – Open-source recommender system with visual workflow editor

GLM-OCR: Accurate × Fast × Comprehensive

Local Agent Bench: Test 11 small LLMs on tool-calling judgment, on CPU, no GPU

Show HN: AboutMyProject – A public log for developer proof-of-work

Expertise, AI and Work of Future [video]

So Long to Cheap Books You Could Fit in Your Pocket

PID Controller

SpaceX Rocket Generates 100GW of Power, or 20% of US Electricity

Kubernetes MCP Server

Security issues discovered in sudo-rs

Comments