[jeffbee]

You can bet your bottom banana that the GRU, the NSA, Chinese state security, and the mob have all thoroughly fuzzed sudo and are sitting on the results.

It just seems SO EASY to add a test for this problem, literally the relevant test input is one slash by itself, or any string ending in a slash! So simple! If I sent a change like this at work, no matter how trivial, that said it fixed this bug but I didn't send any tests, the reviewer would reject it out of hand or, probably, just silently ignore my change. But that's the real problem here. This program is a monograph. There are no reviewers and there are, consequently, no standards.

[mike_d]

It sounds like you'd find great pleasure in writing harnesses for oss-fuzz. Google has found and reported over 25,000 bugs in 375 projects, but they need people like you to help wire up new projects.

You can get started here: https://google.github.io/oss-fuzz/

[arp242]

Maybe expecting projects that mostly consist of a single guy working on it in their spare time to be "NSA proof" isn't really realistic?

Folk love to bring up "responsibility" and all of that, but you can't really expect people to bear the responsibility of the world on their shoulders for their spare time projects. It's neither realistic nor fair.

[Someone]

No, you can’t. I think the blame shouldn’t be on this author, but on those choosing to install it or, worse, choosing to ship it on their OS.

OpenBSD replaced sudo with doas (http://man.openbsd.org/doas) in 2016 (https://www.infoworld.com/article/3099038/openbsd-60-tighten...). It’s a safe bet it’s more secure than sudo.

[greggyb]

Sudo was (maybe still is?) an OpenBSD project. I don't believe it originated there, but their code forms/formed the basis for sudo pretty much everywhere, much like OpenSSH.

[JoachimS]

doas is a a really good replacement.

[pocketgrok]

Maybe something that’s sole purpose is privilege escalation, like sudo, should come with some expectation of responsibility.

[jolux]

No, but having tests is an acceptable baseline.

[arp242]

There are tests. Are there enough tests? Maybe not. But people can do in their spare time whatever they want, including writing code without tests.

[jolux]

The thing is, "do what thou wilt" is clearly indefensible as an engineering standard, and I doubt you would disagree. So yes, I can't force anyone to write tests.

However, I do want to see programming as a culture adopt a higher standard when it comes to checking their work, and I think the continued prevalence of bugs like this are an indicator that we actually need to do so. I'm not asking for NSA-proof because that's not reasonable. But memory safety is a solved problem, and we need to be putting in the legwork to make more of our stack memory safe.

[brigandish]

People can do what they want in their spare time, true, but that it is their spare time does not make the action responsible or irresponsible, nor does it shelter them from responsibility.

Not wearing a seatbelt when at work or in your spare time is irresponsible.

Writing code, without tests, that others use (and for security at that) is irresponsible.

[samatman]

Y'know, I don't agree with you in general, and you did put this in general terms.

But this is frakkin sudo we're talking about.

It's a wonder that anything works, ever.

[arp242]

Yeah, this goes back to the whole "Open Source and corporate funding" story. As far as I can find, sudo doesn't get any direct funding at the moment, although various companies have undoubtedly contributed patches.

[brigandish]

It’s nice when those with differing viewpoints can find common ground over their profound disappointment with the world (or at least their profession).

Reading the code of important open source projects is not for the faint hearted!

[gerikson]

From https://www.sudo.ws/license.html

> THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

If you don't like this license, you're free to use other software.

[brigandish]

What’s that got to do with what I wrote?

Nothing, as far as I can see. If someone writes some crappy security software and hides behind a licence that only means those relying on it have joined them in being irresponsible. Responsibility multiplies, it’s not zero-sum.

[arp242]

> Writing code, without tests, that others use (and for security at that) is irresponsible.

You can choose to run this code, or you can choose not to run this code. It's really up to you.

This is very different from a sealbelt, as I can't choose to not have an accident with you, potentially causing a needless fatality.

[brigandish]

> This is very different from a seatbelt

You can choose to wear this seatbelt, or you can choose not to wear this seatbelt. It's really up to you.

[lmm]

This code is advertised as a security tool, is it not? The only reason anyone runs sudo is because it (supposedly) improves their security. I think some responsibility comes with that.

[GoblinSlayer]

That's fine, existing software comes first, decent software comes second, sudo is the former. That said, it's a good candidate for riir (safety, right?), but riir happened to grep instead.

[jjoonathan]

> It just seems SO EASY

Then do it! On your own time, rather than complaining that someone else didn't do it on theirs!

[natevancouver]

Does the project have a testing framework in place? How is the project built and distributed? Can testing be integrated into its CI/CD pipeline? Is there a CI/CD pipeline? Adding frameworks and infrastructure to a project is one of those things that is a lot more work than it appears to be. They should do it, for sure, but I wouldn’t dismiss it as trivial on a decades-old system that was never built for it.

[bnroberts]

Single persons often have superhuman standards. It is easy to see that most of the best works in math or art were produced by an individual.

Code review can work, but often it doesn't. There are countless examples of projects with "strict" review requirements that have similar issues (whereas qmail only had one).

Writing tests is the important thing, it keeps you honest.

[jeffbee]

31 CVEs later I think it's safe to say that this particular author does not possess superhuman standards. How much more evidence would we need?