svn commit: r524708 - head/security/vuxml
Cy Schubert
cy at FreeBSD.org
Fri Jan 31 14:00:23 UTC 2020
Author: cy
Date: Fri Jan 31 14:00:22 2020
New Revision: 524708
URL: https://svnweb.freebsd.org/changeset/ports/524708
Log:
Document sudo CVE-2019-18634:
Buffer overflow when pwfeedback is set in sudoers.
Security: CVE-2019-18634
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Fri Jan 31 13:59:19 2020 (r524707)
+++ head/security/vuxml/vuln.xml Fri Jan 31 14:00:22 2020 (r524708)
@@ -58,6 +58,44 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="b4e5f782-442d-11ea-9ba9-206a8a720317">
+ <topic>sudo -- Potential bypass of Runas user restrictions</topic>
+ <affects>
+ <package>
+ <name>sudo</name>
+ <range><lt>1.8.31</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Todd C. Miller reports:</p>
+ <blockquote cite="https://www.sudo.ws/alerts/pwfeedback.html">
+ <p>Sudo's pwfeedback option can be used to provide visual feedback
+ when the user is inputting their password. For each key press,
+ an asterisk is printed. This option was added in response to
+ user confusion over how the standard Password: prompt disables
+ the echoing of key presses. While pwfeedback is not enabled by
+ default in the upstream version of sudo, some systems, such as
+ Linux Mint and Elementary OS, do enable it in their default
+ sudoers files.</p>
+ <p>Due to a bug, when the pwfeedback option is enabled in the
+ sudoers file, a user may be able to trigger a stack-based buffer
+ overflow. This bug can be triggered even by users not listed in
+ the sudoers file. There is no impact unless pwfeedback has been
+ enabled.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.sudo.ws/alerts/pwfeedback.html</url>
+ <cvename>CVE-2019-18634</cvename>
+ </references>
+ <dates>
+ <discovery>2020-01-30</discovery>
+ <entry>2020-01-30</entry>
+ </dates>
+ </vuln>
+
<vuln vid="c5bd9068-440f-11ea-9cdb-001b217b3468">
<topic>Gitlab -- Multiple Vulnerabilities</topic>
<affects>
More information about the svn-ports-all
mailing list