If you use Linux and it doesn't sound familiar to you SudoWell, let me just say that it surprises me. Basically, whenever you want to type a command that requires special permissions, it is the first thing you should type, like "sudo apt update" on systems using APT or "sudo pacman -Syu" on systems using Pacman. Considering that it allows us to do practically anything, it is important that it is perfect, and we cannot say that it was a few hours ago.
Security researchers have reported details of a vulnerability in Sudo that could be exploited by a malicious user to gain root privileges on Linux operating systems. These researchers specifically mention «a wide range of Linux-based systems«, But they do not detail which ones. Yes I can confirm that Sudo has already been updated on Arch Linux-based and Ubuntu-based systems, at least in the official flavors.
Probably the most important Sudo glitch in its recent history
Researchers say this could be the most significant Sudo vulnerability in its recent history. The ruling, known as Baron Samedit, is listed as the CVE-2021-3156 and the most worrying thing is that existed for almost ten years. What should calm us a bit, although not too much, is that it could only be exploited with physical access to the device.
Security researchers have managed to exploit the flaw in three versions of three very popular operating systems: Ubuntu 1.8.31 v20.04, Debian 1.8.27 v10, and Fedora 1.9.2 v33. They don't say this directly, but they do say that «probably other operating systems and distributions are also vulnerable«, To which I would say that it is something practically safe.
The version of Sudo that fixes this bug is 1.9.5p2:
Sudo prior to 1.9.5p2 has a Heap-based buffer overflow, allowing privilege escalation to root via "sudoedit -s" and a command line argument ending with a single backslash character.
A little over a year ago it was corrected another similar problem, and although Miter does not mention it, Canonical does say that the priority to correct it or the gravity is high. Considering how easy it is to apply the patch, even if nobody touches our equipment, it is recommended to update as soon as possible.
Last night I got the update (version 1.9.5p2) in Manjaro
With all due respect to Windows 10 users, the vulnerability was patched much faster than on Microsoft's OS ...