Security issues discovered in sudo-rs

https://lists.debian.org/debian-security-announce/2025/msg00218.html

24•kahlonel•2mo ago

Comments

portmanteaufu•2mo ago

To save everyone a click, the text is:

""" Two security issues were discovered in sudo-rs, a Rust-based implemention of sudo (and su), which could result in the local disclosure of partially typed passwords or an authentication bypass in some targetpw/rootpw configurations.

For the stable distribution (trixie), this problem has been fixed in version 0.2.5-5+deb13u1.

We recommend that you upgrade your rust-sudo-rs packages. """

wiz21c•2mo ago

as far as i can see, it's just programming errors, nothing to do with rust.

_flux•2mo ago

Everything to do with reimplementing sudo, though.

But sudo has its share of CVEs as well (latest CVE-2025-32463), so perhaps a fresh look on the tool is warranted; perhaps some learnings have been taken from it.

noobermin•2mo ago

I think if rust was used to replace other bits (say things like utilities like grep or whatever) instead of security vital things like sudo, there would be less complaints.

_flux•2mo ago

Do you mean like uutils/coreutils.. Which certainly collects complaints :).

noobermin•2mo ago

No doubt. I'm just guessing people would grumble less.

ciupicri•2mo ago

A fresh look would be perhaps doas [1] from the OpenBSD project.

[1]: https://man.openbsd.org/doas.1

_flux•2mo ago

sudo-rs tries to be more or less a drop-in replacement for the original one, though, meaning minimal reconfiguration should be required for it.

never_inline•2mo ago

Do they have test suite comparable to that of original sudo, or can they reuse the test suite of original sudo?

egorfine•2mo ago

Same could be said about many of the real sudo bugs, but that argument doesn't stick with rust fanboys.

(Obligatory disclaimer: I love rust, I hate fanboys and rewrites)

_flux•2mo ago

What were the actual fixes like?

thw_9a83c•2mo ago

There is a link to github commit in the "Notes" section for each CVE [1].

[1]: https://security-tracker.debian.org/tracker/source-package/r...

_flux•2mo ago

Well, doesn't seem the issue would have been avoidable other than with "harder thinking" or better testing or something like that.

Maybe model checkers could be used, but perhaps the search space is too large for all the featuers, and keeping the source in sync with the model could be quite fragile. And who knows, maybe the model would have the same issue.

whatevaa•2mo ago

Sudo is overcomplicated and since this is a drop-in replacement, it inherits all the complexities.

m4rtink•2mo ago

But memory safety!

The P in PGP isn't for pain: encrypting emails in the browser

Show HN: Mirror Parliament where users vote on top of politicians and draft laws

Ask HN: Opus 4.6 ignoring instructions, how to use 4.5 in Claude Code instead?

We Mourn Our Craft

Jim Fan calls pixels the ultimate motor controller

Exploring a Modern SMTPE 2110 Broadcast Truck with My Dad

AI UX Playground: Real-world examples of AI interaction design

The Field Guide to Design Futures

The Other Leverage in Software and AI

AUR malware scanner written in Rust

Free FFmpeg API [video]

Are AI agents ready for the workplace? A new benchmark raises doubts

Show HN: AI Watermark and Stego Scanner

Clarity vs. complexity: the invisible work of subtraction

Solid-State Freezer Needs No Refrigerants

Ask HN: Will LLMs/AI Decrease Human Intelligence and Make Expertise a Commodity?

From Zero to Hero: A Brief Introduction to Spring Boot

NSA detected phone call between foreign intelligence and person close to Trump

How to Fake a Robotics Result

It's time for the world to boycott the US

Show HN: Semantic Search for terminal commands in the Browser (No Back end)

The AI CEO Experiment

Speed up responses with fast mode

MS-DOS game copy protection and cracks

Updates on GNU/Hurd progress [video]

Epstein took a photo of his 2015 dinner with Zuckerberg and Musk

MyFlames: View MySQL execution plans as interactive FlameGraphs and BarCharts

Show HN: LLM of Babel

A modern iperf3 alternative with a live TUI, multi-client server, QUIC support

Famfamfam Silk icons – also with CSS spritesheet

The P in PGP isn't for pain: encrypting emails in the browser

Show HN: Mirror Parliament where users vote on top of politicians and draft laws

Ask HN: Opus 4.6 ignoring instructions, how to use 4.5 in Claude Code instead?

We Mourn Our Craft

Jim Fan calls pixels the ultimate motor controller

Exploring a Modern SMTPE 2110 Broadcast Truck with My Dad

AI UX Playground: Real-world examples of AI interaction design

The Field Guide to Design Futures

The Other Leverage in Software and AI

AUR malware scanner written in Rust

Free FFmpeg API [video]

Are AI agents ready for the workplace? A new benchmark raises doubts

Show HN: AI Watermark and Stego Scanner

Clarity vs. complexity: the invisible work of subtraction

Solid-State Freezer Needs No Refrigerants

Ask HN: Will LLMs/AI Decrease Human Intelligence and Make Expertise a Commodity?

From Zero to Hero: A Brief Introduction to Spring Boot

NSA detected phone call between foreign intelligence and person close to Trump

How to Fake a Robotics Result

It's time for the world to boycott the US

Show HN: Semantic Search for terminal commands in the Browser (No Back end)

The AI CEO Experiment

Speed up responses with fast mode

MS-DOS game copy protection and cracks

Updates on GNU/Hurd progress [video]

Epstein took a photo of his 2015 dinner with Zuckerberg and Musk

MyFlames: View MySQL execution plans as interactive FlameGraphs and BarCharts

Show HN: LLM of Babel

A modern iperf3 alternative with a live TUI, multi-client server, QUIC support

Famfamfam Silk icons – also with CSS spritesheet

Security issues discovered in sudo-rs

Comments