debcrafters-packages team mailing list archive

Thread
Date
[Bug 2116148] Re: sudo CVE-2025-32462 and CVE-2025-32463

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Robert Dinse <2116148@xxxxxxxxxxxxxxxxxx>
Date: Tue, 08 Jul 2025 07:30:39 -0000
Reply-to: Bug 2116148 <2116148@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Instead of patching antique versions why not just ship current fixed
versions?  This would make it easier for people to verify that their systems
are not vulnerable, now the only way I can check is to actually try to 
reproduce the exploits.

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
  Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
    Knowledgeable human assistance, not telephone trees or script readers.
  See our web site: http://www.eskimo.com/ (206) 812-0051 or (800) 246-6874.

On Tue, 8 Jul 2025, Eduardo Barretto wrote:

> Date: Tue, 08 Jul 2025 07:09:48 -0000
> From: Eduardo Barretto <2116148@xxxxxxxxxxxxxxxxxx>
> To: nanook@xxxxxxxxxx
> Subject: [Bug 2116148] Re: sudo CVE-2025-32462 and CVE-2025-32463
> 
> Hi Robert,
>
> Thanks for taking the time to report this bug and helping to make Ubuntu better.
> Those security issues were already patched, as you can see in both ubuntu security notices:
> https://ubuntu.com/security/notices/USN-7604-1
> https://ubuntu.com/security/notices/USN-7604-2
>
> Feel free to let us know in case of any other issues.
>
> ** Information type changed from Private Security to Public Security
>
> ** Changed in: sudo (Ubuntu)
>       Status: New => Fix Released
>
> -- 
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2116148
>
> Title:
>  sudo CVE-2025-32462 and CVE-2025-32463
>
> Status in sudo package in Ubuntu:
>  Fix Released
>
> Bug description:
>   Jack Wallen
>
>  Two critical flaws allow users to gain access to root privileges.
>
>  Nearly all major Linux distributions are vulnerable to a couple of
>  sudo bugs. The two vulnerabilities are CVE-2025-32462 and
>  CVE-2025-32463. Although the first bug has a low Common Vulnerability
>  Scoring System (CVSS) score of 2.8, the second has a score of 9.3,
>  which is critical.
>
>  Both vulnerabilities were discovered by the Stratascale's
>  Cybersecurity Research Unit and the full report can be read here. One
>  very interesting point in the report states that "CVE-2025-32462 has
>  remained unnoticed for over 12 years, despite being present in the
>  code all along."
>
>  The report then mentions CVE-2025-32462, when it says, it "...is an
>  issue that has been hidden in plain sight since the host option was
>  implemented 12 years ago. Because it’s a built-in option, no exploit
>  is needed to elevate privileges." The report continues, "However, the
>  issue can only be leveraged with specific configurations using the
>  Host or Host_Alias directives, which are commonly used in enterprise
>  environments."
>
>  The sudo --host option allows users to list their sudo rules for a
>  particular host, and the report goes into detail on how this works in
>  conjunction with the flaws.
>
>  As far as mitigation is concerned, the only thing you need to do is to
>  confirm that your system's sudo version is at least version 1.9.17p1
>  or later, which can be done with the command sudo -V. If your version
>  is older than 1.9.17p1, update immediately.
>
>  The version currently shipped with Ubuntu 24.04 is 1.9.15p1, it would
>  be nice if someone would compile and package the latest version or at
>  least 1.9.17p1 or later and get it in the updates so our systems can
>  be secured.
>
>  ProblemType: Bug
>  DistroRelease: Ubuntu 24.04
>  Package: sudo 1.9.15p5-3ubuntu5.24.04.1
>  Uname: Linux 6.15.4 x86_64
>  ApportVersion: 2.28.1-0ubuntu3.7
>  Architecture: amd64
>  CasperMD5CheckResult: unknown
>  Date: Mon Jul  7 23:52:33 2025
>  SourcePackage: sudo
>  UpgradeStatus: No upgrade log present (probably fresh install)
>  modified.conffile..etc.sudoers: [inaccessible: [Errno 13] Permission denied: '/etc/sudoers']
>  modified.conffile..etc.sudoers.d.README: [inaccessible: [Errno 13] Permission denied: '/etc/sudoers.d/README']
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/2116148/+subscriptions
>

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-32462

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-32463

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/2116148

Title:
  sudo CVE-2025-32462 and CVE-2025-32463

Status in sudo package in Ubuntu:
  Fix Released

Bug description:
   Jack Wallen

  Two critical flaws allow users to gain access to root privileges.

  Nearly all major Linux distributions are vulnerable to a couple of
  sudo bugs. The two vulnerabilities are CVE-2025-32462 and
  CVE-2025-32463. Although the first bug has a low Common Vulnerability
  Scoring System (CVSS) score of 2.8, the second has a score of 9.3,
  which is critical.

  Both vulnerabilities were discovered by the Stratascale's
  Cybersecurity Research Unit and the full report can be read here. One
  very interesting point in the report states that "CVE-2025-32462 has
  remained unnoticed for over 12 years, despite being present in the
  code all along."

  The report then mentions CVE-2025-32462, when it says, it "...is an
  issue that has been hidden in plain sight since the host option was
  implemented 12 years ago. Because it’s a built-in option, no exploit
  is needed to elevate privileges." The report continues, "However, the
  issue can only be leveraged with specific configurations using the
  Host or Host_Alias directives, which are commonly used in enterprise
  environments."

  The sudo --host option allows users to list their sudo rules for a
  particular host, and the report goes into detail on how this works in
  conjunction with the flaws.

  As far as mitigation is concerned, the only thing you need to do is to
  confirm that your system's sudo version is at least version 1.9.17p1
  or later, which can be done with the command sudo -V. If your version
  is older than 1.9.17p1, update immediately.

  The version currently shipped with Ubuntu 24.04 is 1.9.15p1, it would
  be nice if someone would compile and package the latest version or at
  least 1.9.17p1 or later and get it in the updates so our systems can
  be secured.

  ProblemType: Bug
  DistroRelease: Ubuntu 24.04
  Package: sudo 1.9.15p5-3ubuntu5.24.04.1
  Uname: Linux 6.15.4 x86_64
  ApportVersion: 2.28.1-0ubuntu3.7
  Architecture: amd64
  CasperMD5CheckResult: unknown
  Date: Mon Jul  7 23:52:33 2025
  SourcePackage: sudo
  UpgradeStatus: No upgrade log present (probably fresh install)
  modified.conffile..etc.sudoers: [inaccessible: [Errno 13] Permission denied: '/etc/sudoers']
  modified.conffile..etc.sudoers.d.README: [inaccessible: [Errno 13] Permission denied: '/etc/sudoers.d/README']

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/2116148/+subscriptions
References

[Bug 2116148] Re: sudo CVE-2025-32462 and CVE-2025-32463
From: Eduardo Barretto, 2025-07-08