FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-18 11:12:36 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
f3cf4b33-6013-11eb-9a0e-206a8a720317	sudo -- Multiple vulnerabilities Todd C. Miller reports: When invoked as sudoedit, the same set of command line options are now accepted as for sudo -e. The -H and -P options are now rejected for sudoedit and sudo -e which matches the sudo 1.7 behavior. This is part of the fix for CVE-2021-3156. Fixed a potential buffer overflow when unescaping backslashes in the command's arguments. Normally, sudo escapes special characters when running a command via a shell (sudo -s or sudo -i). However, it was also possible to run sudoedit with the -s or -i flags in which case no escaping had actually been done, making a buffer overflow possible. This fixes CVE-2021-3156. Discovery 2021-01-26 Entry 2021-01-26 sudo < 1.9.5p2 https://www.sudo.ws/stable.html#1.9.5p2 CVE-2021-3156
6193b3f6-548c-11eb-ba01-206a8a720317	sudo -- Potential information leak in sudoedit Todd C. Miller reports: A potential information leak in sudoedit that could be used to test for the existence of directories not normally accessible to the user in certain circumstances. When creating a new file, sudoedit checks to make sure the parent directory of the new file exists before running the editor. However, a race condition exists if the invoking user can replace (or create) the parent directory. If a symbolic link is created in place of the parent directory, sudoedit will run the editor as long as the target of the link exists.If the target of the link does not exist, an error message will be displayed. The race condition can be used to test for the existence of an arbitrary directory. However, it _cannot_ be used to write to an arbitrary location. Discovery 2021-01-11 Entry 2021-01-11 sudo < 1.9.5 https://www.sudo.ws/stable.html#1.9.5 CVE-2021-23239
3310014a-5ef9-11ed-812b-206a8a720317	sudo -- Potential out-of-bounds write for small passwords SO-AND-SO reports: Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to sudo by entering a password of seven characters or fewer. The impact could vary depending on the system libraries, compiler, and processor architecture. Discovery 2022-11-07 Entry 2022-11-07 sudo ge 1.8.0 lt 1.9.12p1 CVE-2022-43995 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43995

VuXML ID

Description

f3cf4b33-6013-11eb-9a0e-206a8a720317

sudo -- Multiple vulnerabilities

Todd C. Miller reports:

When invoked as sudoedit, the same set of command line options are now accepted as for sudo -e. The -H and -P options are now rejected for sudoedit and sudo -e which matches the sudo 1.7 behavior. This is part of the fix for CVE-2021-3156.

Fixed a potential buffer overflow when unescaping backslashes in the command's arguments. Normally, sudo escapes special characters when running a command via a shell (sudo -s or sudo -i). However, it was also possible to run sudoedit with the -s or -i flags in which case no escaping had actually been done, making a buffer overflow possible. This fixes CVE-2021-3156.

Discovery 2021-01-26
Entry 2021-01-26
sudo

< 1.9.5p2

https://www.sudo.ws/stable.html#1.9.5p2
CVE-2021-3156

6193b3f6-548c-11eb-ba01-206a8a720317

sudo -- Potential information leak in sudoedit

Todd C. Miller reports:

A potential information leak in sudoedit that could be used to test for the existence of directories not normally accessible to the user in certain circumstances. When creating a new file, sudoedit checks to make sure the parent directory of the new file exists before running the editor. However, a race condition exists if the invoking user can replace (or create) the parent directory. If a symbolic link is created in place of the parent directory, sudoedit will run the editor as long as the target of the link exists.If the target of the link does not exist, an error message will be displayed. The race condition can be used to test for the existence of an arbitrary directory. However, it _cannot_ be used to write to an arbitrary location.

Discovery 2021-01-11
Entry 2021-01-11
sudo

< 1.9.5

https://www.sudo.ws/stable.html#1.9.5
CVE-2021-23239

3310014a-5ef9-11ed-812b-206a8a720317

sudo -- Potential out-of-bounds write for small passwords

SO-AND-SO reports:

Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to sudo by entering a password of seven characters or fewer. The impact could vary depending on the system libraries, compiler, and processor architecture.

Discovery 2022-11-07
Entry 2022-11-07
sudo

ge 1.8.0 lt 1.9.12p1

CVE-2022-43995
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43995