[manjaro-security] [ASA-202102-8] opendoas: privilege escalation
Remi Gacogne via arch-security
arch-security at lists.archlinux.org
Fri Feb 12 08:03:46 CET 2021
Arch Linux Security Advisory ASA-202102-8
Date : 2021-02-06
CVE-ID : CVE-2019-25016
Package : opendoas
Type : privilege escalation
Remote : No
Link : https://security.archlinux.org/AVG-1504
The package opendoas before version 6.8.1-2 is vulnerable to privilege
Upgrade to 6.8.1-2.
# pacman -Syu "opendoas>=6.8.1-2"
The problem has been fixed upstream in version 6.8.1.
A security issue has been found in OpenDoas before 6.8.1, where rules
that allowed the user to execute any command would inherit the
executing user's PATH instead of resetting it to a default PATH. Rules
that limit the user to execute only a specific command are not affected
by this and are only executed from the default PATH and with the PATH
environment variable set to the safe default.
A local user might be able to escalate privileges.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 840 bytes
Desc: OpenPGP digital signature
More information about the manjaro-security