this post was submitted on 11 Nov 2025
166 points (98.8% liked)

Linux

10136 readers
1720 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
166
sudo-rs Affected By Multiple Security Vulnerabilities - Impacting Ubuntu 25.10 (www.phoronix.com)
submitted 5 days ago by cm0002@literature.cafe to c/linux@programming.dev
58 comments fedilink hide all child comments
 

The Ubuntu 25.10 transition to using some Rust system utilities continues proving quite rocky. Beyond some early performance issues with Rust Coreutils, breakage for some executables, and broken unattended upgrades due to a Rust Coreutils bug, it's also sudo-rs now causing Ubuntu developers some headaches. There are two moderate security issues affecting sudo-rs, the Rust version of sudo being used by Ubuntu 25.10.

you are viewing a single comment's thread
view the rest of the comments
[–] BB_C@programming.dev 10 points 4 days ago (1 children)

sudo is NOT a part of coreutils. Anyone with basic *nix knowledge would have known this.

sudo-rs, as expected, is also NOT a part of uutils. And the projects happen to be very different in many aspects. uutils started from scratch as a hobby side-project, and it was developed from the start in idiomatic Rust. It can't directly take anything from the GNU implementation anyway, as explained in their README. sudo-rs however is a funded effort to translate some C projects into Rust with as little unsafe{} as possible. Some of the code was directly translated from the original implementation. And if you look at the code in general, you will see that it's rather low-level and looks more like C than Rust in many parts. Some of this is arguably necessary given the nature of sudo functionality, but not all of it.

Both projects do share the fact that they probably didn't push for distros, Ubuntu or anyone else, to switch to either of them by default already, and both were probably surprised it happened this soon.

And yes, this exposure, negative as it may seem for now, is an unavoidable "teething" period, and it's going to be of great benefit to both projects on the long run. Hopefully, Ubuntu users living on the edge wouldn't face too much trouble meanwhile.

(I don't use Ubuntu, but have been using sudo-rs by default for months.)

[–] gravitas_deficiency@sh.itjust.works 1 points 4 days ago

Pardon me for being less intimately familiar with the project - but my point still stands, in terms of test focus. And yes, of course I know bugs are inevitable - I’ve been writing them for damn near two decades at this point.