Linux Bug CVE-2021-3156

Jan 27, 2021 at 8:19pm
https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit

This one is neat not only because of how simple it is to run, but it has a snappy name too. This is just a failure to tokenize arguments, but man is it a painful one.
Jan 28, 2021 at 12:08am
Now back the coding truck up, only Windows is supposed to have long term "hidden in plain sight" vulnerabilities! *nix is supposed to be without blemish or errors, same as MacOS.
Jan 28, 2021 at 5:19am
All of them have vulnerabilities. Open source operating systems appear to discover about two vulnerabilities or so per month.
FreeBSD: https://www.freebsd.org/security/advisories/
Debian: https://lists.debian.org/debian-security-announce/2021/threads.html

OpenBSD ("widely regarded as the most secure operating system available anywhere, under any licensing terms"), would probably have fewer discoveries of this kind:
https://www.openbsd.org/errata68.html
Jan 28, 2021 at 2:24pm
That's incredible that it's possible with the default configuration of such a popular program.
Jan 28, 2021 at 3:18pm
That explains the recent sudo update (at least I hope that's what it was for).

only Windows is supposed to have long term "hidden in plain sight" vulnerabilities

Don't forget Heartbleed (OpenSSL) and Shellshock (bash).
Topic archived. No new replies allowed.