top | item 45893249

(no title)

j0057 | 3 months ago

> A partially typed password would be output to standard input if a timeout occurred when Defaults pwfeedback was not enabled (GHSA-q428-6v73-fc4q).

> Timestamp files did not take into account the setting of the Defaults targetpw and Defaults rootpw (GHSA-c978-wq47-pvvw)

discuss

JoshTriplett|3 months ago

"moderate" makes sense here; those are issues that needed fixing, but they wouldn't give someone privileged access they shouldn't have, and they occur in non-default configurations.

porridgeraisin|3 months ago

> access they shouldn't have

It does, quotes from https://github.com/trifectatechfoundation/sudo-rs/security/a... below:

> A highly-privileged user (able to run commands as other users, or as root, through sudo) who knows one password of an account they are allowed to run commands as, would be able to run commands as any other account the policy permits them to run commands for, even if they don't know the password for those accounts.

> A common instance of this would be that a user can still use their own password to run commands as root (the default behaviour of sudo), effectively negating the intended behaviour of the targetpw or rootpw options.