Security Issues Discovered in Sudo-Rs

Postedabout 2 months agoActiveabout 2 months ago

kahlonel

24 points

15 comments

lists.debian.orgTechstory

calmmixed

Debate

60/100

Sudo-RsRustSecurity Vulnerabilities

Key topics

Sudo-Rs

Rust

Security Vulnerabilities

Security issues were discovered in sudo-rs, a Rust-based implementation of sudo, prompting discussion on the role of Rust in preventing memory safety issues.

Snapshot generated from the HN discussion

Discussion Activity

Moderate engagement

First comment

13m

Peak period

0-2h

Avg / period

Comment distribution15 data points

Loading chart...

Based on 15 loaded comments

Key moments

01Story posted
Nov 12, 2025 at 5:08 AM EST
about 2 months ago
Step 01
02First comment
Nov 12, 2025 at 5:21 AM EST
13m after posting
Step 02
03Peak activity
6 comments in 0-2h
Hottest window of the conversation
Step 03
04Latest activity
Nov 13, 2025 at 1:36 AM EST
about 2 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (15 comments)

Showing 15 comments

wiz21c

about 2 months ago

3 replies

as far as i can see, it's just programming errors, nothing to do with rust.

_flux

about 2 months ago

2 replies

Everything to do with reimplementing sudo, though.

But sudo has its share of CVEs as well (latest CVE-2025-32463), so perhaps a fresh look on the tool is warranted; perhaps some learnings have been taken from it.

noobermin

about 2 months ago

1 reply

I think if rust was used to replace other bits (say things like utilities like grep or whatever) instead of security vital things like sudo, there would be less complaints.

_flux

about 2 months ago

1 reply

Do you mean like uutils/coreutils.. Which certainly collects complaints :).

noobermin

about 2 months ago

No doubt. I'm just guessing people would grumble less.

ciupicri

about 2 months ago

1 reply

A fresh look would be perhaps doas [1] from the OpenBSD project.

[1]: https://man.openbsd.org/doas.1

_flux

about 2 months ago

sudo-rs tries to be more or less a drop-in replacement for the original one, though, meaning minimal reconfiguration should be required for it.

never_inline

about 2 months ago

Do they have test suite comparable to that of original sudo, or can they reuse the test suite of original sudo?

egorfine

about 2 months ago

Same could be said about many of the real sudo bugs, but that argument doesn't stick with rust fanboys.

(Obligatory disclaimer: I love rust, I hate fanboys and rewrites)

_flux

about 2 months ago

1 reply

What were the actual fixes like?

thw_9a83c

about 2 months ago

1 reply

There is a link to github commit in the "Notes" section for each CVE [1].

[1]: https://security-tracker.debian.org/tracker/source-package/r...

_flux

about 2 months ago

1 reply

Well, doesn't seem the issue would have been avoidable other than with "harder thinking" or better testing or something like that.

Maybe model checkers could be used, but perhaps the search space is too large for all the featuers, and keeping the source in sync with the model could be quite fragile. And who knows, maybe the model would have the same issue.

whatevaa

about 2 months ago

Sudo is overcomplicated and since this is a drop-in replacement, it inherits all the complexities.

portmanteaufu

about 2 months ago

To save everyone a click, the text is:

""" Two security issues were discovered in sudo-rs, a Rust-based implemention of sudo (and su), which could result in the local disclosure of partially typed passwords or an authentication bypass in some targetpw/rootpw configurations.

For the stable distribution (trixie), this problem has been fixed in version 0.2.5-5+deb13u1.

We recommend that you upgrade your rust-sudo-rs packages. """

m4rtink

about 2 months ago

But memory safety!

View full discussion on Hacker News

ID: 45898377Type: storyLast synced: 11/20/2025, 12:47:39 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN