Sudo vulnerability CVE-2021-3156

A serious vulnerability with sudo has been found allowing unauthorized privilege escalation. The vulnerability was found by Qualys: https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit

The vulnerability is tracked under CVE-2021-3156 and is code-named “Baron Samedit”.

My Librem 5 already has an update that patches this vulnerability.

Just trying to get the word out.

6 Likes

I just find this sentence funny :slight_smile:

I tough it was a feature of sudo :wink: sudo -s

2 Likes

@FamousJameous Good call and thanks for getting the word out. Testing the way the qualsys blog recommends testing for the vulnerability, it looks like PureOS amber is patched as well.

Haha, oh yeah. I didn’t even think of that. Maybe “unauthorized privilege escalation” would be better.

Must have come in overnight. I just installed it on my Librem 5.

Unpacking sudo (1.8.27-1+deb10u3) over (1.8.27-1+deb10u2) ...

This would be a serious vulnerability in multi-user systems but since it requires unprivileged access in the first place, for most single-user devices it would require either physical access or a blended attack involving some other vulnerability in order to exploit it.