SB2025111266 - Ubuntu update for rust-sudo-rs 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025111266

SB2025111266 - Ubuntu update for rust-sudo-rs

Published: November 12, 2025

Security Bulletin ID SB2025111266
Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Local access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Insufficient Logging (CVE-ID: CVE-2025-64517)

The vulnerability allows a local user to hide their activity on the system.

The vulnerability exists due to sude-rs records the invoking user's UID instead of the authenticated-as user's UID in the authentication timestamp with Defaults targetpw (or Defaults rootpw) enabled. A local privileged user can run commands as any other account the policy permits them to run commands for, even if they don't know the password for those accounts.


2) Information disclosure (CVE-ID: CVE-2025-64170)

The vulnerability allows an attacker to gain access to potentially sensitive information.

The vulnerability exists due to the way timeouts are implemented. When typing partial passwords but not pressing return for a long time, a password timeout can occur. This results in symbols entered as password to be displayed in the console. An attacker with physical access to the system can observe entered data in the console. 


Remediation

Install update from vendor's website.

References