CVE-2019-25016 log

Source
Severity High
Remote No
Type Privilege escalation
Description
A security issue has been found in OpenDoas before 6.8.1, where rules that allowed the user to execute any command would inherit the executing user's PATH instead of resetting it to a default PATH. Rules that limit the user to execute only a specific command are not affected by this and are only executed from the default PATH and with the PATH environment variable set to the safe default.
Group Package Affected Fixed Severity Status Ticket
AVG-1504 opendoas 6.6.1-2 6.8.1-2 High Fixed
Date Advisory Group Package Severity Type
06 Feb 2021 ASA-202102-8 AVG-1504 opendoas High privilege escalation
References
https://github.com/Duncaen/OpenDoas/releases/tag/v6.8.1
https://github.com/Duncaen/OpenDoas/issues/45
https://github.com/Duncaen/OpenDoas/commit/d5acd52e2a15c36a8e06f9103d35622933aa422d.patch
https://gitlab.alpinelinux.org/alpine/aports/-/blob/9e259950190c924b4a17825aad2d7cee87fbd75b/main/doas/reset-path.patch