9
Condor
4y

Just mirrored sudo to my own Gitea instance yesterday (https://git.ghnou.su/mir/sudo). Turns out that this chonkster is 200MB compressed (LZ4 on ZFS). I am baffled by it... All it needs to do is reading a configuration file describing what users can be elevated, to which user and which commands they can run. Perhaps doas wasn't a bad idea after all?

Oh and it got a privilege escalation vulnerability just yesterday (https://security-tracker.debian.org/...), which is why I got interested in it. Update your sudo packages if you haven't already.

Comments
  • 3
    i just looked up and apperently its in debian an 1MB big package
  • 1
    200 MB with all history?
  • 1
    Yep, spent about 2hrs updating all of my and company servers for this CVE

    Was baffled to see apt wanted to pull over 300MB to upgrade...
  • 1
    Wait there's a new sudo CVE? ID please, this missed my radar.
  • 1
    CVE-2021-3156
  • 0
    @electrineer Yes, this is the development repo. I haven't looked much into it yet, but the difference between the package and repo size is quite stark. I wonder why the repo is this large...
  • 0
    @Condor du -sh *
  • 0
    @stop The size metrics are correct. I would've thought that even specifying that I am using ZFS with LZ4 compression enabled would be sufficient.

    You could clone the repository if you need further confirmation. If your filesystem does not have compression enabled (which Gitea takes into account), the result will likely be even larger.
  • 4
    Because sudo has been around for ages. It's probably seen a lot of refactoring, reformatting, could have binaries in and out of it over time, etc.

    git clone --depth=1 is your friend for this reason, unless you need the history for some reason.
  • 1
    Don't use sudo.

    It's shit. And not the tool for the job you want to do.
  • 7
    @IntrusionCM is not in the sudoers file. This incident will be reported.
Add Comment