Security alert for sudo [critical]

MarcusE1W · July 2, 2025, 3:44am

The usually very reputable computer magazine c’t on heise.com reports a critical security alert for sudo

Vulnerable are sudo versions from 1.9.14 to 1.9.17 (possibly more). On my tumbleweed installation I have version 1.9.16 after the latest update, this is relevant.

arvidjaar · July 2, 2025, 3:56am

MarcusE1W · July 2, 2025, 5:20am

I am not so familiar with the procedure here.

The patch has status review.

Can this be applied? Has this already automatically been rolled out ?

dbob · July 2, 2025, 6:44am

Most big distributions have already been updated. Why is this super critical patch taking so long?

hui · July 2, 2025, 9:04am

There seems to be a missunderstanding how packaging works. The CVE was published 2 days ago. The fix is at the QA stage atm in OBS.

hcvv · July 2, 2025, 9:46am

I updated my Leap 15.6 systems yesterday and there was a Security Update for sudo. I assume it was this one?

arvidjaar · July 2, 2025, 10:25am

Leap 15.6 inherits updates from SUSE and SUSE gets notified before embargo is lifted and so has time to prepare the update before vulnerability is published.

malcolmlewis · July 2, 2025, 11:49am

@dbob Hi and welcome to the Forum
By default openSUSE doesn’t configure sudo, so if using and set a root password should not be affected?

arvidjaar · July 2, 2025, 12:10pm

It depends on what exactly is installed.

andrei@tumbleweed:~> zypper se sudo-policy
Loading repository data...
Reading installed packages...

S  | Name                        | Summary                                            | Type
---+-----------------------------+----------------------------------------------------+--------
   | sudo-policy-sudo-auth-self  | Users in the sudo group can authenticate as admin  | package
   | sudo-policy-wheel-auth-self | Users in the wheel group can authenticate as admin | package
andrei@tumbleweed:~>

malcolmlewis · July 2, 2025, 12:15pm

@arvidjaar ahh, I guess that’s installed if during install user/admin box is checked…

hcvv · July 2, 2025, 12:47pm

I got rid of all the fuss by removing sudo (and sudo-plugins and opi). No more security threads by sudo.

But I admit that this is very personal.

40476 · July 2, 2025, 3:33pm

This is the same thing right?

dart364 · July 2, 2025, 3:45pm

No … pretty sure it was fixed a month ago … that one has to do with pam and overriding env variables … totally different from sudo escalation and timer attacks

MarcusE1W · July 3, 2025, 7:53am

I see that the status of the request above is now accepted.

What does that mean for a general roll out ? How would that be done ?

arvidjaar · July 3, 2025, 8:08am

It will be published in one of the next Tumbleweed snapshots after they pass openQA tests.

If you have good arguments why it should be published immediately - there is Tumbleweed Update channel that bypasses openQA. You may consider raising this question on factory mailing list.

arvidjaar · July 3, 2025, 8:08am

It is.

andrei@tumbleweed:/tmp> ./sudo-chwoot.sh
woot!
[sudo] password for root:
tumbleweed:/ #

I entered the WRONG password.

40476 · July 3, 2025, 9:33pm

MarcusE1W · July 4, 2025, 12:08pm

With today’s upgrade in tumbleweed I have got sudo version 1.9.17p1.
From the above mentioned request I take that that is the version that fixes the security issue. That should close the case.
Is that right ?