A vulnerability (CVE-2023-22809) has been identified in the sudo package, which is used to run commands on behalf of other users, which allows a local user to edit any file on the system, which, in turn, allows gaining root rights by changing /etc/shadow or system scripts. To exploit the vulnerability, the user must be granted the right to run the sudoedit or "sudo" utility with the "-e" flag in the sudoers file.
The vulnerability is caused by the lack of proper handling of the "-" characters when parsing environment variables that determine the program called to edit the file. In sudo, the "--" sequence is used to separate the editor and arguments from the list of files being edited. An attacker can add to the SUDO_EDITOR, VISUAL or EDITOR environment variables the sequence "-file" after the path to the editor, which will cause the specified file to be edited with elevated privileges without checking the user's file access rules.
The vulnerability has been present since the 1.8.0 branch and fixed in the sudo 1.9.12p2 corrective update. The publication of package updates in distributions can be tracked on the pages: Debian, Ubuntu, Gentoo, RHEL, SUSE, Fedora, Arch, FreeBSD, NetBSD. As a security workaround, you can disable the processing of the SUDO_EDITOR, VISUAL, and EDITOR environment variables by sudoers: Defaults!sudoedit env_delete+="SUDO_EDITOR VISUAL EDITOR"
Source: opennet.ru