The Ubuntu 25.10 transition to using some Rust system utilities continues proving quite rocky. Beyond some early performance issues with Rust Coreutils, breakage for some executables, and broken unattended upgrades due to a Rust Coreutils bug, it’s also sudo-rs now causing Ubuntu developers some headaches. There are two moderate security issues affecting sudo-rs, the Rust version of sudo being used by Ubuntu 25.10.

  • ISO@lemmy.zip
    282·
    9 hours ago

    Nice(!) to see so many people who don’t know anything about programming get successfully propagandized into going against something they know nothing about.

    Below is a list of CVE’s published against original sudo, all within the last 5 years. You may not heard of them, because CVE’s against non-Rust projects are not news 🫣

    sudo CVE’s from within the last 5 years

    (severity scores are not available/assigned always)

    CVE-2021-3156 (Severity: High)

    Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via “sudoedit -s” and a command-line argument that ends with a single backslash character.

    CVE-2021-23239

    The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path.

    CVE-2021-23240

    selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows a local unprivileged user to gain file ownership and escalate privileges by replacing a temporary file with a symlink to an arbitrary file target. This affects SELinux RBAC support in permissive mode. Machines without SELinux are not vulnerable.

    CVE-2022-43995 (Severity: High)

    Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read.

    CVE-2023-7090 (Severity: Medium)

    A flaw was found in sudo in the handling of ipa_hostname, where ipa_hostname from /etc/sssd/sssd.conf was not propagated in sudo. Therefore, it leads to privilege mismanagement vulnerability in applications, where client hosts retain privileges even after retracting them.

    CVE-2023-22809 (Severity: High)

    In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation.

    CVE-2023-27320 (Severity: High)

    Sudo before 1.9.13p2 has a double free in the per-command chroot feature.

    CVE-2023-28486

    Sudo before 1.9.13 does not escape control characters in log messages.

    CVE-2023-28487

    Sudo before 1.9.13 does not escape control characters in sudoreplay output.

    CVE-2023-42465

    Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit.

    CVE-2025-32462 (Severity: Low)

    Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines.

    CVE-2025-32463 (Severity: Critical)

    Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.

    The special comment from @[email protected] in this thread deserves some focus:

    The Rust hype is funny because it is completely based on the fact that a leading cause of security vulnerabilities for all of these mature and secure projects is memory bugs, which is very true, but it completely fails to see that this is the leading cause because these are really mature projects that have highly skilled developers fixing so much shit.

    So you get these new Rust projects that are sometimes made by people that don’t have the same experience as these C/C++ devs, and they are so confident in the memory safety that they forget about the much simpler security issues.

    This has all the classics from the collectively manic discourse that has been spreading lately

    mature projects

    highly skilled developers

    Rust projects that are sometimes made by people that don’t have the same experience as these C/C++ devs

    C/C++ devs (deserves a separate entry)

    they forget about the much simpler security issues.

    The only classic missing is “battle tested” which is a crowd favorite these days.

    But of course the internet gantry’s knowledge about CVE’s reported against non-Rust projects, is as good as their understanding of the Rust language itself.

    Someone bothering to be minimally informed, even when lacking the technical knowledge to maximize their understanding of the information, would have known that the original “mature” sudo has CVE’s published against it all the time. A CRITICAL one was rather recent even. And as it just happens, the ones not (directly) related to memory safety did outnumber the ones that did recently (5 year span). Which ones had higher severity is left as homework for the internet gantry.

    The discourse centered around memory safety is itself lacks the knowledge to realize that the overall value proposition of Rust is much bigger than this single aspect, although the breadth of sub-aspects that cover memory safety offered by Rust is itself also under-grasped.

    The internet gantry’s susceptibility to propaganda and good old FUD done by ignorant and drama mongering “influencers” and “e-celebs” would have been almost concerning, that is if their transient feelings mattered in any way, in the grand scheme of things.

    Needless to say, but this is comment is not meant to be disparaging towards Todd C. Miller or any other sudo developer/maintainer. He has a good relationship with sudo-rs developers anyway, not that the internet gantry would know.

    • EnEnCode@programming.devEnglish
      1·
      13 minutes ago

      Better than I could have ever put it. But to add my own thoughts, sudo-rs does not gain value just by being in Rust.

      1. It’s a more lean sudo with compatability for common flags while intentionally not implementing niche/legacy options, including the one used by CVE-2025-32463, though if I did not need any of those flags at all, I would (and in past, have) just use opendoas.
      2. The project contains extensive testing and a harness versatile enough to also test the OG sudo and has caught regressions in it. The rewrite wanting parity with sudo’s behavior has improved the original sudo; you can gain its benefits even if you won’t/don’t/can’t run it. This is the main reason uutils hasn’t convinced me of its worth yet.
      3. Having more eyes on sudo is just good. By translating it, they have to understand many of sudo’s poorly-documented idiosyncracies and review all its relevant code and consider potential potential edge-cases. That’s basically an audit.
    • Shanmugha@lemmy.world
      132·
      8 hours ago

      Nah, it’s just that a whole lot of people, me included, are tired of foolish “but Rust is safe!!!1” propaganda-like shallow screams, like kids getting a new toy. I am ok when watching Linux distro battles, because that’s by definition child’s play and individual experience varies wildly among participants, but regarding programming languages I would rather see a long boring description of what is tackled how and why this is better than the “bad and buggy” alternative than this cheap shouting.

      P.S. the critics does not go to you personally, yours is a good post, I thank you for it

    • sem@lemmy.blahaj.zone
      4·
      9 hours ago

      The discourse centered around memory safety is itself lacks the knowledge to realize that the overall value proposition of Rust is much bigger than this single aspect, although the breadth of sub-aspects that cover memory safety offered by Rust is itself also under-grasped.

      What is the value proposition of Rust? I thought it was entirely about memory safety. But I’m not a programmer.

      • ISO@lemmy.zip
        91·
        8 hours ago

        Rust has features that are not directly related to memory safety, but introduce paradigmatic and ergonomic improvements that help writing correct logic more often. Features like sum types (powerful enums) and type classes (traits, how generics are implemented) quickly come to mind. Hygienic macros and procedural macros are also very powerful features.

        Sometimes the two aspects (language feature and memory safety) come together. For example, the Send and Sync traits is the part of the type system that contributes to implementing thread safety.

        So it’s not all just about (im)mutability, lifetimes, and the borrow checker, the directly relevant safety features.

        Also, the tooling and the ecosystem are factors the value of which can not be understated.

        • banshee@lemmy.world
          3·
          3 hours ago

          Well said. I personally enjoy using a systems-level language with a handful of functional programming features. I also enjoy the support for async runtimes and other concurrency features (channels).

          Rust allows me to get away from more boring (to me) languages (e.g. JS/TS, Java, Kotlin).