Version in base suite: 1.9.13p3-1+deb12u1 Base version: sudo_1.9.13p3-1+deb12u1 Target version: sudo_1.9.13p3-1+deb12u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/sudo/sudo_1.9.13p3-1+deb12u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/sudo/sudo_1.9.13p3-1+deb12u2.dsc changelog | 7 +++++++ patches/series | 1 + patches/sudo_host_vuln.diff | 31 +++++++++++++++++++++++++++++++ 3 files changed, 39 insertions(+) diff -Nru sudo-1.9.13p3/debian/changelog sudo-1.9.13p3/debian/changelog --- sudo-1.9.13p3/debian/changelog 2023-06-27 11:45:00.000000000 +0000 +++ sudo-1.9.13p3/debian/changelog 2025-06-24 07:29:50.000000000 +0000 @@ -1,3 +1,10 @@ +sudo (1.9.13p3-1+deb12u2) bookworm-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Local Privilege Escalation via host option (CVE-2025-32462) + + -- Salvatore Bonaccorso Tue, 24 Jun 2025 09:29:50 +0200 + sudo (1.9.13p3-1+deb12u1) bookworm; urgency=medium * add upstream patch to fix event log format. diff -Nru sudo-1.9.13p3/debian/patches/series sudo-1.9.13p3/debian/patches/series --- sudo-1.9.13p3/debian/patches/series 2023-06-27 11:45:00.000000000 +0000 +++ sudo-1.9.13p3/debian/patches/series 2025-06-24 07:24:11.000000000 +0000 @@ -5,3 +5,4 @@ paths-in-samples.diff Whitelist-DPKG_COLORS-environment-variable.diff sudo-ldap-docs +sudo_host_vuln.diff diff -Nru sudo-1.9.13p3/debian/patches/sudo_host_vuln.diff sudo-1.9.13p3/debian/patches/sudo_host_vuln.diff --- sudo-1.9.13p3/debian/patches/sudo_host_vuln.diff 1970-01-01 00:00:00.000000000 +0000 +++ sudo-1.9.13p3/debian/patches/sudo_host_vuln.diff 2025-06-24 07:29:50.000000000 +0000 @@ -0,0 +1,31 @@ +Desciption: Local Privilege Escalation via host option + Sudo's host (`-h` or `--host`) option is intended to be used in + conjunction with the list option (`-l` or `--list`) to list a user's + sudo privileges on a host other than the current one. However, due + to a bug it was not restricted to listing privileges and could be + used when running a command via `sudo` or editing a file with + `sudoedit`. Depending on the rules present in the sudoers file + this could allow a local privilege escalation attack. +Forwarded: not-needed + +--- a/plugins/sudoers/sudoers.c ++++ b/plugins/sudoers/sudoers.c +@@ -467,6 +467,18 @@ sudoers_policy_main(int argc, char * con + sudoers_gc_add(GC_PTR, NewArgv[0]); + } + ++ /* The user may only specify a host for "sudo -l". */ ++ if (!ISSET(sudo_mode, MODE_LIST|MODE_CHECK)) { ++ if (strcmp(user_runhost, user_host) != 0) { ++ log_warningx(SLOG_NO_STDERR|SLOG_AUDIT, ++ N_("user not allowed to set remote host for command")); ++ sudo_warnx("%s", ++ U_("a remote host may only be specified when listing privileges.")); ++ ret = false; ++ goto done; ++ } ++ } ++ + /* If given the -P option, set the "preserve_groups" flag. */ + if (ISSET(sudo_mode, MODE_PRESERVE_GROUPS)) + def_preserve_groups = true;