File _patchinfo of Package patchinfo.27910

<patchinfo incident="27910">
  <issue tracker="bnc" id="1206483">sudo crashes in sssd module on empty RunAs list</issue>
  <issue tracker="bnc" id="1206772">sudo asks for password for non-existing command</issue>
  <issue tracker="bnc" id="1203201">L3-Question: sudo block in ppoll syscall while child process already gone</issue>
  <issue tracker="bnc" id="1209361">VUL-0: CVE-2023-28487: sudo: does not escape control characters in sudoreplay output.</issue>
  <issue tracker="bnc" id="1208595">VUL-0: CVE-2023-27320: sudo: double free with per-command chroot sudoers rules</issue>
  <issue tracker="bnc" id="1209362">VUL-0: CVE-2023-28486: sudo: does not escape control characters in log messages.</issue>
  <issue tracker="cve" id="2023-27320"/>
  <issue tracker="cve" id="2023-28486"/>
  <issue tracker="cve" id="2023-28487"/>
  <packager>jsikes</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for sudo</summary>
  <description>This update for sudo fixes the following issue:

Security issues:

- CVE-2023-28486: Fixed sudo does not escape control characters in log messages. (bsc#1209362)
- CVE-2023-28487: Fixed sudo does not escape control characters in sudoreplay output. (bsc#1209361)
- CVE-2023-27320: Fixed a potential security issue with a double free with per-command chroot sudoers rules (bsc#1208595).

Bug fixes:

- Fix a situation where "sudo -U otheruser -l" would dereference a NULL pointer (bsc#1206483)
- If NOPASSWD is specified, don't ask for password if command is not found (bsc#1206772).
- Do not re-enable the reader when flushing the buffers as part of pty_finish() (bsc#1203201).
</description>
</patchinfo>