I updated security/sudo to 1.8.31. A fix for CVE-2019-18634 is included.
Originally only versions before 1.8.26 were thought to be vulnerable. Later analysis, however, showed that versions 1.8.26 – 1.8.30 are also vulnerable.
Here’s what’s new:
Fixed CVE-2019-18634, a buffer overflow when the
pwfeedbacksudoersoption is enabled on systems with uni-directional pipes. Read the published security alert for more information.The
sudoedit_checkdiroption now treats a user-owned directory as writable, even if it does not have the write bit set at the time of check. Symbolic links will no longer be followed bysudoeditin any user-owned directory. Bug #912.Fixed
sudoediton macOS 10.15 and above where the root file system is mounted read-only. Bug #913.Fixed a crash introduced in sudo 1.8.30 when suspending sudo at the password prompt. Bug #914.
Fixed compilation on systems where the
mmapMAP_ANONflag is not available. Bug #915.