CVE-2019-25016 - log back

CVE-2019-25016 edited at 29 Jan 2021 08:35:59
Description
- A security issue has been found in OpenDoas before 6.8.1, where rules that allowed the user to execute any command would inherit the executing users PATH instead of resetting it to a default PATH. Rules that limit the user to execute only a specific command are not affected by this and are only executed from the default PATH and with the PATH environment variable set to the safe default.
+ A security issue has been found in OpenDoas before 6.8.1, where rules that allowed the user to execute any command would inherit the executing user's PATH instead of resetting it to a default PATH. Rules that limit the user to execute only a specific command are not affected by this and are only executed from the default PATH and with the PATH environment variable set to the safe default.
CVE-2019-25016 edited at 29 Jan 2021 08:23:29
Severity
- Unknown
+ High
Remote
- Unknown
+ Local
Type
- Unknown
+ Privilege escalation
Description
+ A security issue has been found in OpenDoas before 6.8.1, where rules that allowed the user to execute any command would inherit the executing users PATH instead of resetting it to a default PATH. Rules that limit the user to execute only a specific command are not affected by this and are only executed from the default PATH and with the PATH environment variable set to the safe default.
References
+ https://github.com/Duncaen/OpenDoas/releases/tag/v6.8.1
+ https://github.com/Duncaen/OpenDoas/issues/45
+ https://github.com/Duncaen/OpenDoas/commit/d5acd52e2a15c36a8e06f9103d35622933aa422d.patch
+ https://gitlab.alpinelinux.org/alpine/aports/-/blob/9e259950190c924b4a17825aad2d7cee87fbd75b/main/doas/reset-path.patch
Notes
CVE-2019-25016 created at 29 Jan 2021 08:20:14