CVE-2019-25016 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	No
Type	Privilege escalation
Description	A security issue has been found in OpenDoas before 6.8.1, where rules that allowed the user to execute any command would inherit the executing user's PATH instead of resetting it to a default PATH. Rules that limit the user to execute only a specific command are not affected by this and are only executed from the default PATH and with the PATH environment variable set to the safe default.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1504	opendoas	6.6.1-2	6.8.1-2	High	Fixed

Date	Advisory	Group	Package	Severity	Type
06 Feb 2021	ASA-202102-8	AVG-1504	opendoas	High	privilege escalation

References
https://github.com/Duncaen/OpenDoas/releases/tag/v6.8.1 https://github.com/Duncaen/OpenDoas/issues/45 https://github.com/Duncaen/OpenDoas/commit/d5acd52e2a15c36a8e06f9103d35622933aa422d.patch https://gitlab.alpinelinux.org/alpine/aports/-/blob/9e259950190c924b4a17825aad2d7cee87fbd75b/main/doas/reset-path.patch

References

https://github.com/Duncaen/OpenDoas/releases/tag/v6.8.1
https://github.com/Duncaen/OpenDoas/issues/45
https://github.com/Duncaen/OpenDoas/commit/d5acd52e2a15c36a8e06f9103d35622933aa422d.patch
https://gitlab.alpinelinux.org/alpine/aports/-/blob/9e259950190c924b4a17825aad2d7cee87fbd75b/main/doas/reset-path.patch