| Name | CVE-2023-28339 |
| Description | OpenDoas through 6.8.2, when TIOCSTI is available, allows privilege escalation because of sharing a terminal with the original session. NOTE: TIOCSTI is unavailable in OpenBSD 6.0 and later, and can be made unavailable in the Linux kernel 6.2 and later. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1034185 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| doas (PTS) | bullseye | 6.8.1-2 | vulnerable |
| opendoas (PTS) | sid, trixie, bookworm | 6.8.2-1 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| doas | source | (unstable) | (unfixed) | | | |
| opendoas | source | (unstable) | (unfixed) | | | 1034185 |
Notes
[bullseye] - doas <no-dsa> (Minor issue)
[bookworm] - opendoas <ignored> (Minor issue, will be addressed via kernel change which isn't in 6.1 yet)
https://github.com/Duncaen/OpenDoas/issues/106
https://www.openwall.com/lists/oss-security/2023/03/14/4
Restricting ioctl on the kernel side seems the better approach, patches have been
posted to kernel-hardening list, and can be mitigated with Linux 6.2, see option
CONFIG_LEGACY_TIOCSTI.