[dspillett]

That each of the versions dannymi listed had at least one potentially exploitable issue that a natively memory safe language would have mitigated, versions actively used in production as recently as this year even by people who keep bang up-to-date?

I'm sceptical that the chance of introducing new and interesting bugs of other varieties with a rewrite is worth the protection offered by the new environment¹, but either your dismissal of dannymi's point is rather disingenuous or you genuinely were missing something that had been stated quite obviously…

--

[1] except where existing problems are so systemic that fixing them in the original stack would effectively be a partial rewrite anyway, so susceptible to the same risk

[peoplefromibiza]

> That each of the versions dannymi listed had at least one potentially exploitable

Can you please point me to each one of those?

I can only see a few of them.

> memory safe language would have mitigated

potentially, assuming there are no bugs anywhere in the toolchain.

> but either your dismissal of dannymi's point

I wasn't dismissing no one's point.

I simply scrolled through the list of issues and found out that the majority of them were things like (picked them randomly)

systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl from Sudo, because less executes as root when the terminal size is too small to show the complete systemctl output.

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.x and 9.x (e.g., 8.8.15). The Sudo configuration permits the zimbra user to execute the NGINX binary as root with arbitrary parameters. As part of its intended functionality, NGINX can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root.

A privilege escalation vulnerability in FortiNAC version below 8.8.2 may allow an admin user to escalate the privileges to root by abusing the sudo privileges.

It was found that cifs-utils' mount.cifs was invoking a shell when requesting the Samba password, which could be used to inject arbitrary commands. An attacker able to invoke mount.cifs with special permission, such as via sudo rules, could use this flaw to escalate their privileges

I am genuinely asking if memory safe languages could prevent this kind of issues, which represent the overwhelming majority of the issues reported on that specific page, and how.

[dspillett]

> Can you please point me to each one of those?

By the magic of find-in-page:

1.9.5p2, CVE-2021-3156

1.8.26, CVE-2019-18634

1.6.6, CVE-2002-0184

1.8.0-to-1.9.12, CVE-2022-43995

I've not read into them in detail, but they are all overflow issues that other languages could have mitigated. Of course they may mitigate them by the task falling over at run-time, but that is “failing safer” than continuing with (potentially deliberately) corrupted data.

---------------------------------

I only spotted the extra details you added when I submitted my first reply (had the reply form open for a while due to work distractions):

> I am genuinely asking if memory safe languages could prevent this kind of issues, which represent the overwhelming majority of the issues reported on that specific page

That page is listing all issues in sudo logged in that database, from which the relevant data was summarised (basically the OP was citing his source). No claim was being made that increased built-in memory safety would prevent all the issues (or even many of them) in that list.

[peoplefromibiza]

> 1.9.5p2, CVE-2021-3156

> 1.8.26, CVE-2019-18634

> 1.8.0-to-1.9.12, CVE-2022-43995

interestingly these would not be a problem in a language like Pascal that is not memory safe, but has runtime bounds checks enabled by default or C++ that has flags to enable it

So we are left with one over at least a 100

another interesting thing IMO is that the bugs have been sitting there for a long time, so they are probably not obvious and nobody can be sure there aren't similar sleeping bugs in today's software written in safer languages.

This is not against memory-safe languages, mind you, I prefer Rust over C or C++ any day, I simply found that the original claim seemed too bold compared to the actual data and failed IMO to prove that sudo is ridden by easily exploitable memory bugs.

[lelanthran]

> That each of the versions dannymi listed had at least one potentially exploitable issue that a natively memory safe language would have mitigated,

I'm not seeing that in the list. Of the listed CVEs, not many of them are due to memory safety.

[dspillett]

> I'm not seeing that in the list.

All the versions/ranges listed are associated with relevant CVEs on the list, which of the original posters claims can you not see backed up by that list?

> Of the listed CVEs, not many of them are due to memory safety.

That is a list of all the CVEs for sudo, no claim was made of implied that they were mostly due to issues that memory safety would help with, the poster gave the link as a source for information that was presented.

[peoplefromibiza]

> no claim was made of implied that they were mostly due to issues that memory safety would help with

he literally did

this is the entire message

Sudo 1.8.0 to 1.9.12 (the latter is from 2023(!)) are *memory unsafe*.

Sudo before 1.9.5p2 is *memory unsafe*.

Sudo before 1.8.26 is *memory unsafe*.

Sudo before 1.6.6 is *memory unsafe.*

memory unsafe here is used for dramatic purpose by the author

it actually means that

Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c *array-out-of-bounds error* that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to Sudo *by entering a password of seven characters or fewer. The impact could vary depending on the system libraries, compiler, and processor architecture.*

in this light, is PHP memory safe because it enforces runtime bounds checks on arrays?

Or

In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, **it is NOT the default for upstream and many other packages**, and would exist only if enabled by an administrator.)

has one of these bugs ever been exploited?

[dspillett]

> he literally did

He literarily, both in the traditional (literally) and modern (figuratively) meanings, did not.

Stating that the page is the source for the information summarised does not mean the same as claiming all/most of the information in the page specifically refers to those cases.