Control: affects -1 sudo
On Mon, Jun 30, 2025 at 11:44:17PM +0100, Colin Watson wrote:
+sudo: a remote host may only be specified when listing privileges.
Well, it's definitely due to the new sudo, since it has this change in
the patch for CVE-2025-32462, backported from
https://github.com/sudo-project/sudo/commit/d530367828e3713d09489872743eb92d31fb11ff:
+ /* The user may only specify a host for "sudo -l". */
+ if (!ISSET(ctx->mode, MODE_LIST|MODE_CHECK)) {
+ if (strcmp(ctx->runas.host, ctx->user.host) != 0) {
+ log_warningx(ctx, SLOG_NO_STDERR|SLOG_AUDIT,
+ N_("user not allowed to set remote host for command"));
+ sudo_warnx("%s",
+ U_("a remote host may only be specified when listing
privileges."));
+ ret = false;
+ goto done;
+ }
+ }
I think reprotest's sudoers file uses "ALL" as the host throughout, and
https://www.openwall.com/lists/oss-security/2025/06/30/2 seems to say
that this security vulnerability never affected rules for the host "ALL"
in the first place. Is it possible that the fix was overbroad?
If reprotest can't drop the -h option for other reasons, then I guess it
might be possible for reprotest to use socket.gethostname() instead of
localhost, but I'm not sure how guaranteed it is that that will match
the output of sudo_gethostname().
--
Colin Watson (he/him) [cjwat...@debian.org]
