[syrrim]

Is there a patch, or more detailed explanation of what causes this?

[nequo]

Ubuntu shipped the patch three days ago. The output of `apt changelog sudo` on 22.04 LTS:

  sudo (1.9.9-1ubuntu2.2) jammy-security; urgency=medium

    * SECURITY UPDATE: arbitrary file overwrite via sudoedit
      - debian/patches/CVE-2023-22809.patch: do not permit editor arguments
        to include -- in plugins/sudoers/editor.c, plugins/sudoers/sudoers.c,
        plugins/sudoers/visudo.c.
      - CVE-2023-22809
    * SECURITY UPDATE: DoS via invalid arithmetic shift in Protobuf-c
      - debian/patches/CVE-2022-33070.patch: only shift unsigned values in
        lib/protobuf-c/protobuf-c.c.
      - CVE-2022-33070

   -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 16 Jan 2023 07:36:33 -0500

There is a detailed explanation on the sudo website: https://www.sudo.ws/security/advisories/sudoedit_any/

[slaymaker1907]

There's a detailed writeup mentioned in the post https://www.synacktiv.com/sites/default/files/2023-01/sudo-C....

[asveikau]

It shells out to the EDITOR environment variable, which is controlled by the less privileged user.

In this example they inject running an editor against another file.

I'm guessing you can put arbitrary code in there or point it at a locally controlled executable too. But I'm not sure. Maybe sudoedit puts more scrutiny on that variable than most, non-security programs. At any rate many text editors have lots of modules and scripting and can presumably load and execute code as the privileged user.

The workaround is to change the sudo config file to remove the EDITOR environment variable and a few others.

[zokier]

> At any rate many text editors have lots of modules and scripting and can presumably load and execute code as the privileged user.

Sudoedit does not run the editor as privileged user, that is kinda the whole point