FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

sudo-rs -- Authenticating user not recorded properly in timestamp

Affected packages
0.2.5 <= sudo-rs < 0.2.10
0.2.5 <= sudo-rs-coexist < 0.2.10

Details

VuXML ID bf6c9252-c2ec-11f0-8372-98b78501ef2a
Discovery 2025-11-12
Entry 2025-11-16

Trifecta Tech Foundation reports:

With Defaults targetpw (or Defaults rootpw) enabled, the password of the target account (or root account) instead of the invoking user is used for authentication. sudo-rs prior to 0.2.10 incorrectly recorded the invoking user’s UID instead of the authenticated-as user's UID in the authentication timestamp. Any later sudo invocation on the same terminal while the timestamp was still valid would use that timestamp, potentially bypassing new authentication even if the policy would have required it.

[source]

References

CVE Name CVE-2025-64517
URL https://cveawg.mitre.org/api/cve/CVE-2025-64517

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.