|
|
|
|
|
|
by duncaen
1966 days ago
|
|
|
I would say that the concept and implementation in C is inherently insecure. Switching to something less reviewed because there is a sudo vulnerability is not a guarantee that you are now "safer" especially if those ports are not reviewed. As far as I can say, never ever use slicer69/doas, I've found 3 critical security vulnerabilities in it, the author does not understand C or how it should work in general. Here are 3 examples if issues I found and the author used misleading commit titles to hide the issues and made excuses saying a clear buffer overflow very similar to the one found in sudo is just "potential": - https://github.com/slicer69/doas/commit/261c2164496dbebe6e3e... - https://github.com/slicer69/doas/commit/2f83222829448e5bc4c9... I even had to do a PR myself to fix an issue the author was not able to understand and more and more people started to use it: - https://github.com/slicer69/doas/pull/23 |
|
|