Post · bonfire.cafe

jomo

@jomo@mstdn.io · 4 days ago

FYI: The sudo-rs bug of leaking passwords on timeout is a general problem of line buffered stdin streams.

The `read` builtin suffers from the same problem.

https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-c978-wq47-pvvw

#sudors #sudo_rs #bash #CVE_2025_64170 #infosec

GitHub

Partial password reveal when password timeout occurs

### Summary When typing partial passwords but not pressing return for a long time, a password timeout can occur. When this happens, the keys pressed are replayed onto the console. ### Example ...

GIF

jomo

@jomo@mstdn.io replied · 4 days ago

This issue occurs when using a line buffer, where the input is only placed into the buffer after a newline character was entered. When that character is not entered, the data is not read, and thus not flushed from stdin and is still waiting to be read by the next program (such as the shell) to read from the stdin buffer. Bash uses a character buffer to read your keyboard inputs, so the data is displayed immediately.

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.0 no JS en

Automatic federation enabled