Matthias Gerstener (Matthias Gerstner) from SUSE Security Team conducted an audit of the Please , developed as a safer alternative to sudo written on RUST language and regular expressions. The utility comes in Debian Testing and Ubuntu 21.04 repositories in the RUST-Pleaser package. During the audit, The group of vulnerabilities (CVE-2021-31153, CVE- 2021-31154, CVE-2021-31155), resulting in collapse and non-eliminating the possibility of creating exploits to increase privileges in the system.
Vulnerabilities Fixed in the Please 0.4 branch (package updates are already offered for Ubuntu and Debian ). Details about the nature of vulnerabilities are not yet reported – only one shared patch and Brief explanation , which of the recommendations to eliminate security problems are applied.
For example, the transition to the use of FD when performing the CHMOD and chown operation, DO_ENVIRONMENT Call Selecting Calls SeTeUID / SETGUID, Apply the O_NoFollow flag to disable symbolic links, limit directories to a specific range of values, use random characters in temporary file names and Setting the file size limit settings.
It is interesting that after preparing the patch, it turned out that after installing the package on executable files / USR / BIN / PLEASE and / USR / BIN / PleaseEdit, the SETUID flag has ceased to be made, which required another