Hacker News new | ask | show | jobs
by lelanthran 1090 days ago
> That each of the versions dannymi listed had at least one potentially exploitable issue that a natively memory safe language would have mitigated,

I'm not seeing that in the list. Of the listed CVEs, not many of them are due to memory safety.
1 comments
dspillett 1090 days ago
> I'm not seeing that in the list.

All the versions/ranges listed are associated with relevant CVEs on the list, which of the original posters claims can you not see backed up by that list?

> Of the listed CVEs, not many of them are due to memory safety.

That is a list of all the CVEs for sudo, no claim was made of implied that they were mostly due to issues that memory safety would help with, the poster gave the link as a source for information that was presented.

link
peoplefromibiza 1089 days ago
> no claim was made of implied that they were mostly due to issues that memory safety would help with

he literally did

this is the entire message

Sudo 1.8.0 to 1.9.12 (the latter is from 2023(!)) are *memory unsafe*.

Sudo before 1.9.5p2 is *memory unsafe*.

Sudo before 1.8.26 is *memory unsafe*.

Sudo before 1.6.6 is *memory unsafe.*

memory unsafe here is used for dramatic purpose by the author

it actually means that

Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c *array-out-of-bounds error* that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to Sudo *by entering a password of seven characters or fewer. The impact could vary depending on the system libraries, compiler, and processor architecture.*

in this light, is PHP memory safe because it enforces runtime bounds checks on arrays?

Or

In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, **it is NOT the default for upstream and many other packages**, and would exist only if enabled by an administrator.)

has one of these bugs ever been exploited?

link
dspillett 1089 days ago
> he literally did

He literarily, both in the traditional (literally) and modern (figuratively) meanings, did not.

Stating that the page is the source for the information summarised does not mean the same as claiming all/most of the information in the page specifically refers to those cases.

link