GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Wed Jul 07, 2021 10:26 am Post subject: [ GLSA 202107-11 ] OpenDoas |
 |
|
Gentoo Linux Security Advisory
Title: OpenDoas: Insufficient environment filtering (GLSA 202107-11)
Severity: normal
Exploitable: local
Date: 2021-07-07
Bug(s): #767781
ID: 202107-11
Synopsis
A vulnerability in OpenDoas could lead to privilege escalation.
Background
OpenDoas allows users to run commands as other users.
Affected Packages
Package: app-admin/doas
Vulnerable: < 6.8.1
Unaffected: >= 6.8.1
Architectures: All supported architectures
Description
OpenDoas does not properly filter the PATH variable from the resulting
shell after escalating privileges.
Impact
A local attacker with control of a user’s PATH variable could escalate
privileges if that user uses OpenDoas with a poisoned PATH variable.
Workaround
There is no known workaround at this time.
Resolution
All OpenDoas users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/doas-6.8.1"
|
References
CVE-2019-25016
Last edited by GLSA on Sat Jan 22, 2022 4:26 am; edited 2 times in total |
|
News & Announcements
