An gano wani rauni (CVE-2023-22809) a cikin kunshin sudo, wanda aka yi amfani da shi don tsara aiwatar da umarni a madadin sauran masu amfani, wanda ke ba mai amfani da gida damar shirya kowane fayil akan tsarin, wanda, bi da bi, ya ba su damar. don samun haƙƙin tushen ta hanyar canza /etc/shadow ko rubutun tsarin. Yin amfani da raunin rauni yana buƙatar mai amfani a cikin fayil ɗin sudoers a ba shi haƙƙin gudanar da aikin sudoedit ko "sudo" tare da tutar "-e".
Rashin lahani yana faruwa ne sakamakon rashin ingantaccen sarrafa haruffan “—” lokacin da ake tantance masu canjin yanayi waɗanda ke ayyana shirin da ake kira don gyara fayil. A cikin sudo, ana amfani da jerin "-" don raba edita da muhawara daga jerin fayilolin da ake gyarawa. Mai hari zai iya ƙara jerin "-file" bayan hanyar edita zuwa SUDO_EDITOR, VISUAL, ko EDITOR masu canjin yanayi, wanda zai fara gyara ƙayyadaddun fayil ɗin tare da manyan gata ba tare da duba ka'idodin samun fayil ɗin mai amfani ba.
Rashin lahani yana bayyana tun daga reshe 1.8.0 kuma an gyara shi a cikin sabuntawar gyara sudo 1.9.12p2. Za a iya bin diddigin buguwar sabunta fakiti a cikin rabe-rabe akan shafuka: Debian, Ubuntu, Gentoo, RHEL, SUSE, Fedora, Arch, FreeBSD, NetBSD. A matsayin tsarin tsaro, zaku iya musaki sarrafa masu canjin yanayi SUDO_EDITOR, VISUAL da EDITOR ta hanyar tantance sudoers: Defaults!sudoedit env_delete+="SUDO_EDITOR VISUAL EDITOR"
source: budenet.ru