CVE-2023-22809: 
NixOS vulnerability analysis and mitigation

In Sudo versions 1.8.0 through 1.9.12p1, a vulnerability was discovered in the sudoedit feature (CVE-2023-22809) that allows a local attacker to edit arbitrary files by manipulating environment variables. The vulnerability was discovered by Matthieu Barjole and Victor Cutillas of Synacktiv and was publicly disclosed on January 18, 2023 (Sudo Advisory, OSS Security).

The vulnerability exists in sudo's -e option (sudoedit) where it mishandles extra arguments passed through user-provided environment variables (SUDOEDITOR, VISUAL, and EDITOR). The issue occurs because a user-specified editor may contain a "--" argument that defeats a protection mechanism, for example using EDITOR='vim -- /path/to/extra/file'. This allows bypassing the intended file restrictions ([Sudo Advisory](https://www.sudo.ws/security/advisories/sudoeditany/)).

When successfully exploited, this vulnerability allows a local user with sudoedit privileges to edit arbitrary files on the system, potentially leading to privilege escalation. The attacker can modify files outside their authorized scope, which could result in system compromise (Debian Advisory, Gentoo Advisory).

The vulnerability was fixed in sudo version 1.9.12p2. For systems that cannot immediately update, a workaround exists by adding 'Defaults!sudoedit envdelete+="SUDOEDITOR VISUAL EDITOR"' to the sudoers file. For specific files, a CmndAlias can be used to restrict editor access ([Sudo Advisory](https://www.sudo.ws/security/advisories/sudoeditany/)).