this post was submitted on 11 Nov 2025
61 points (96.9% liked)

Linux

10081 readers
467 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
61
sudo-rs Affected By Multiple Security Vulnerabilities - Impacting Ubuntu 25.10 (www.phoronix.com)
submitted 4 hours ago by cm0002@literature.cafe to c/linux@programming.dev
22 comments fedilink hide all child comments
 

The Ubuntu 25.10 transition to using some Rust system utilities continues proving quite rocky. Beyond some early performance issues with Rust Coreutils, breakage for some executables, and broken unattended upgrades due to a Rust Coreutils bug, it's also sudo-rs now causing Ubuntu developers some headaches. There are two moderate security issues affecting sudo-rs, the Rust version of sudo being used by Ubuntu 25.10.

top 22 comments
sorted by: hot top controversial new old
[–] gravitas_deficiency@sh.itjust.works 7 points 2 hours ago (1 children)

So:

  • yes, that’s pretty sketchy
  • this is also AFAIK the first major distro that it’s been a part of as a stock install, so this is the first exposure at scale that the project has had; as unfortunate as it is, it can be argued that this might fall under “teething issues”
  • with that said, it sounds like the rust coreutils people need to step up their game in terms of thinking in and testing for adversarial contexts. Normal test cases do not cut it when you’re dealing with stuff like sudo - it needs to be put through the ringer.
[–] just_another_person@lemmy.world 6 points 1 hour ago

Gonna say what I said so many times, and even a few times in this comment section.

ALL.software.has.bugs.

The language doesn't matter. AI doesn't matter. Testing doesn't matter. Every single piece of software will be vulnerable to something eventually.

Staying on top of it is the best you can do.

[–] Aatube@kbin.melroy.org 8 points 2 hours ago

One of the patches is to prevent the sudo password from being leaked in case of a timeout or sudo being killed. Another patch is to use enum for the feedback parameter. Another patch to ensure feedback is always erased before exiting the read unbuffered code. Another change is also made to not treat backspace as a password character when the password is empty.

[–] just_another_person@lemmy.world 36 points 4 hours ago (5 children)

Which batch of you turds was in here all up in my stuff last week when I said Rust projects have security vulnerabilities all the time just as any other and you all were arguing like "nuh-uh cuz Rust"?

Step up.

[–] MTK@lemmy.world 14 points 2 hours ago (1 children)

The Rust hype is funny because it is completely based on the fact that a leading cause of security vulnerabilities for all of these mature and secure projects is memory bugs, which is very true, but it completely fails to see that this is the leading cause because these are really mature projects that have highly skilled developers fixing so much shit.

So you get these new Rust projects that are sometimes made by people that don't have the same experience as these C/C++ devs, and they are so confident in the memory safety that they forget about the much simpler security issues.

[–] mesamunefire@piefed.social 7 points 2 hours ago

Cant tell you how many times Ive heard about curl getting re-written. Same deal.

[–] entwine@programming.dev 24 points 3 hours ago

Everyone knows that memory safety isn't the only source of security vulnerabilities (unless you're bickering about programming languages on the internet, in which case 100% of security vulnerabilities are related to memory safety)

Rust users are one of Rust's biggest weaknesses.

[–] rikudou@lemmings.world 13 points 3 hours ago

The biggest problem with Rust are its users. They somehow think that having a safe memory access means fewer bugs. While it only means fewer memory management related bugs. Which honestly isn't even a problem with modern C++.

[–] SpaceNoodle@lemmy.world 7 points 3 hours ago (1 children)

b-b-b-but Rust is inherently safe!

[–] rikudou@lemmings.world 8 points 3 hours ago

Yeah, if you hash your passwords with unsalted md5 it's much more secure in Rust than PHP!

[–] zap12344@feddit.it -1 points 2 hours ago (1 children)

To me this says more about Canonical than Rust.

[–] just_another_person@lemmy.world 8 points 2 hours ago (1 children)

Canonical didn't make these tools...

[–] caseyweederman@lemmy.ca 2 points 17 minutes ago (1 children)

They do have a habit of overcommitting to tools that are not yet ready.

[–] 4am@lemmy.zip 1 points 3 minutes ago

Hell, snap still isn’t ready

[–] l3db3tt3r@piefed.social 1 points 1 hour ago (1 children)

The price of being on the bleeding edge.
But also, trust the process, it's a feature not a bug.

[–] just_another_person@lemmy.world 1 points 1 hour ago

ALL software has bugs. Doesn't matter what the language is.

[–] pizza_the_hutt@sh.itjust.works 6 points 3 hours ago (1 children)

So glad I'm ditching Ubuntu. Sounds like it's none too soon.

[–] Aatube@kbin.melroy.org 9 points 2 hours ago (2 children)

there's regular and then there's LTS releases for a reason

[–] Dagnet@lemmy.world 6 points 2 hours ago

ubuntu 24 LTS here and never had an issue. As someone who came from windows and played around with fedora for a while its kinda really surprising.

[–] pizza_the_hutt@sh.itjust.works 5 points 2 hours ago (1 children)

The latest LTS release has really old software. The problem here is that the Ubuntu heads are pushing for replacement of core system utilities that aren't ready for prime time. These Rust components need at least another year to cook. This is just the latest bad decision from Ubuntu leadership. See SNAP.

If you want stability, just get Debian. If you need newer software, get an Arch-based distro.

[–] Aatube@kbin.melroy.org 5 points 1 hour ago (1 children)

i do use arch

is April 2024 software that old?

replacement of core system utilities that aren't ready for prime time

Could we talk about Unity? I'd wager that these bugs wouldn't have been found by 2027 if Ubuntu hadn't adopted sudo-rs. And I'd say "look at where Unity is right now" if they hadn't switched to GNOME Shell.

[–] caseyweederman@lemmy.ca 1 points 16 minutes ago

Yeah, fair. And 25.10 is a short-term release anyway. The point of it is to get a running start on 26.04.