On Tue, 23 Sep 2025 05:21:13 +0200, Solar Designer wrote: > FWIW, this paper was brought to oss-security back then, and I've added > CC's to this reply based on that message: > > https://www.openwall.com/lists/oss-security/2023/12/21/9 > > The only CVE I see in the paper itself is CVE-2023-42465 for sudo, which > upstream (and some distros) fixed. Was it perhaps more serious for sudo > (actually exposed in real-world setups)? Also CC'ing Todd for sudo.
I don't think it was particularly serious for sudo. The attack was only against passwd-based authentication, not PAM. As such it didn't really affect modern systems. The interesting thing, to me anyway, was that it shows how a single-bit flip can affect security-relevant functions with a boolean return value. In contrast, a function that returns 0 on success and -1 (or other negative values) on error can be safer as long as the caller checks for success (0) instead of error (-1). For sudo I chose to use return values where a large number of bits need to be flipped during the policy evaluation. However, the interface between the sudo front-end and the policy module still uses a 0/1/-1 return value so it's not clear how effective this actually is. - todd
