What's the impact of this change?

Question

What's the impact of this change?

Closed this issue a year ago · 5 comments

Escape control characters in log messages and "sudoreplay -l" output.

334daf9

Answer 1 · 2023-03-20T13:49:24.000Z

It depends on how you view the logs and whether or not your syslog server escapes control characters itself. If you were to simply cat the log files there is the possibility that the command or arguments could contain control characters that affect the user's terminal, or newline characters that make it appear that a different command was run.

Answer 2 · 2023-03-21T01:24:52.000Z

In fact, I wonder why they're CVEs. @millert
https://nvd.nist.gov/vuln/detail/CVE-2023-28486
https://nvd.nist.gov/vuln/detail/CVE-2023-28487

Answer 3 · 2023-03-21T01:29:42.000Z

I didn't request those CVEs and I don't consider this to be a serious issue. Anyone can request a CVE, whether I think it is worth it or not...

Answer 4 · 2023-03-21T01:32:58.000Z

Okay, I see. Thank you so much.

Answer 5 · 2023-03-21T08:10:14.000Z

It depends on how you view the logs and whether or not your syslog server escapes control characters itself. If you were to simply cat the log files there is the possibility that the command or arguments could contain control characters that affect the user's terminal, or newline characters that make it appear that a different command was run.

I'm still wondering what valuable problems it solves.

I tried to compare the phenomenon before and after the modification. For example, run the following command:

[testuser@localhost root]$ sudo echo "hello
> \t
> \b
> \v
> \r
> c
> \c
> \010
> "
hello
\t
\b
\v
\r
c
\c
\010

The results are as follows, run the cat command, before:

Mar 21 15:03:42 : testuser : TTY=pts/2 ; PWD=/root ; USER=root ;
    COMMAND=/usr/bin/echo hello
\t
\b
\v
\r
c
\c
\010

after:

Mar 21 15:02:38 : testuser : TTY=pts/1 ; PWD=/root ; USER=root ;
    COMMAND=/usr/bin/echo
    hello#012\\t#012\\b#012\\v#012\\r#012c#012\\c#012\\010#012

Is that your "or newline characters that make it appear that a different command was run"?
Can you provide a scenario(cmd) to illustrate this situation -- "there is the possibility that the command or arguments could contain control characters that affect the user's terminal" ?

I have not found any scenarios that affect the terminal. My sudoers configuration is as follows：

testuser        ALL=(ALL)       ALL
Defaults logfile=/var/log/sudo.log
Defaults iolog_file=%{seq}/log
Defaults log_input
Defaults log_output

We look forward to your reply. Thank you. @millert