Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 27 Jan 2021 09:33:40 +0100
From: Hanno Böck <>
Subject: Re: Baron Samedit: Heap-based buffer overflow in
 Sudo (CVE-2021-3156)


Just sharing a few thoughts and things I read elsewhere:


The top comment on points out that a problem of sudo is

I think that's a very fair point. Also it seems the development trend
in sudo is to actually increase complexity even more and adding all
kinds of features that really should not be part of a suid tool, see

The poster points to doas, which seems to be a much simpler
alternative coming from OpenBSD, a portable version exists:


Top commenter at HN points out that there's a lack of testing in sudo:

Neither the commit that introduced this bug nor the commit that fixed
it contained a test.

Fair point again.
Here doas does not compare well: It does not seem to come with a test
suite at all.

Hanno Böck

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.