.png)
2 hours ago
1
Two vulnerabilities in Ubuntu 25.10's new "sudo-rs" command have been found, disclosed, and fixed in short order.
On Monday, Ubuntu security notice USN-7867-1 revealed two security holes in the new Rusty sudo command, whose arrival in version 25.10 The Register described back in May. The sudo is a separate project from the other new Rust component in Questing Quokka, the Rust replacements for the GNU coreutils.
True, security vulnerabilities are a bad thing for a core tool whose purpose is authentication and elevating permissions, but the holes are fairly minor and would be hard to exploit.
The Reg FOSS desk encountered sudo in the first public beta of Mac OS X, way back in 2000, but the classic C version is a venerable tool. It's so old that precise initial dates are lost to time, but the project's own history says it dates back to 1980. (The project's logo is much younger than the code – it's a reference to a 2006 XKCD comic.) Ubuntu has included the sudo command – and discouraged use of the all-powerful root account – since its very first release, 4.10 "Warty Warthog."
The new sudo-rs implementation is a total rewrite, and project lead Marc Schoolderman of the Trifecta Tech Foundation delivered a talk about it at last month's Ubuntu Summit, titled "Sudo-rs and beyond." This vulture attended that talk and spoke to Schoolderman afterwards, so we contacted him. Here's what happened from the horse's mouth:
Given that many people in the Linux world have strong feelings about Rust, both for and against, he also pointed out that neither issue was related to memory safety – and therefore not directly to Rust itself at all.
That said, both bugs do have security implications – even if they're only slim ones – so it's worth discussing them and assigning numbers. Sharing the information – and the fixes, and the reasons for the fixes – helps spread the word. He told us that the team had also backported the security fixes to the version of sudo-rs in Debian "stable," which helps make life for downstream packagers easier.
Since the release of Questing almost exactly a month ago, this is the second time that the bug-hunters' spotlight has focused on the new Rust components. Back on October 23, Julian Andres Klode posted a message to the ubuntu-security-announce mailing list revealing a date-handling bug in the Rust coreutils.
Canonical's own Bug #2127970 has the details. The date -r $FILENAME command is intended to report the last time a file changed:
-r, --reference=FILE display the last modification time of FILEThe new Rusty date command didn't. It returned the current date instead, which is what happens if you just type the bare date command. Among other things, this broke automatic updates. The background checks couldn't tell if files were older than a given date.
- Snap out of it: Canonical on Flatpak friction, Core Desktop, and the future of Ubuntu
- Linux vendors are getting into Ubuntu – and Snap
- Ubuntu Unity hanging by a thread as wunderkind maintainer gets busy with life
- Ubuntu users left waiting after Canonical's servers take weekend off
As discussed on Reddit, this is because the Rust commands silently accept all the same switches as the C versions from the GNU coreutils. As a comment noted, this is quite common behavior in packages that ship replacements for older, more complex tools – such as the Postfix sendmail command, which is a much simpler replacement for the classic sendmail (see the bootnote).
The good news is that the Rust date issue didn't cause serious breakage. A normal check for updates was unaffected: run an update, the fixed date command was installed, and the problem went away. This one is a security issue, and so the still-young sudo-rs project went through the full Coordinated Vulnerability Disclosure process. Schoolderman told us: "Internally, we're pleased with how smoothly this process went, and our interactions with other stakeholders in the open source community."
This kind of thing is important, and it's why interim Ubuntu releases exist – to get new tools out there early, so that people can find the issues that nobody anticipated. Schoolderman concluded:
Bootnote
The original sendmail program was written by Eric Allman, and it is renowned: "Sendmail has the reputation of having the most hideous configuration file in the history of mankind." During his Unix apprenticeship in the 1980s, this vulture had to learn to write a basic sendmail.cf file. As the Linux Network Administrator's Guide puts it:
At last year's EuroBSDCon, this vulture met Allman, and got his autograph. ®
