Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20210127093340.6d976bc2@computer>
Date: Wed, 27 Jan 2021 09:33:40 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Re: Baron Samedit: Heap-based buffer overflow in
 Sudo (CVE-2021-3156)

Hi,

Just sharing a few thoughts and things I read elsewhere:

complexity
==========

The top comment on lobste.rs points out that a problem of sudo is
complexity:
https://lobste.rs/s/efsvqu/heap_based_buffer_overflow_sudo_cve_2021#c_c6fcfa

I think that's a very fair point. Also it seems the development trend
in sudo is to actually increase complexity even more and adding all
kinds of features that really should not be part of a suid tool, see
e.g.
https://computingforgeeks.com/better-secure-new-sudo-release/

The lobste.rs poster points to doas, which seems to be a much simpler
alternative coming from OpenBSD, a portable version exists:
https://github.com/Duncaen/OpenDoas

testing
=======

Top commenter at HN points out that there's a lack of testing in sudo:
https://news.ycombinator.com/item?id=25921811

Neither the commit that introduced this bug nor the commit that fixed
it contained a test.

Fair point again.
Here doas does not compare well: It does not seem to come with a test
suite at all.


-- 
Hanno Böck
https://hboeck.de/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.