RUSTSEC-2023-0069: 
Rust vulnerability analysis and mitigation

The vulnerability (CVE-2023-42456/RUSTSEC-2023-0069) affects sudo-rs, a memory-safe implementation of sudo and su, in versions prior to 0.2.1. The issue was discovered and disclosed on September 21, 2023. The vulnerability relates to how sudo-rs handles session files for user authentication, specifically when dealing with usernames containing special characters (GitHub Advisory).

The vulnerability stems from sudo-rs's session file management system, where authentication timestamps are stored in '/var/run/sudo-rs/ts' and named according to the username. The security flaw occurs when handling usernames containing '.' and '/' characters, which could lead to path traversal issues. The vulnerability has been assigned a CVSS v3.1 score of 3.1 (Low severity), with attack vector being Local, attack complexity Low, and requiring High privileges and User interaction (GitHub Advisory).

When exploited, this vulnerability could result in the corruption of specific files on the filesystem. For example, if a user with a specially crafted username like '../../../../bin/cp' executes 'sudo -K', it could lead to the deletion of the system's cp binary. The impact is primarily focused on system file integrity and availability (GitHub Advisory).

The vulnerability has been patched in sudo-rs version 0.2.1, which now uses the user's UID instead of username for determining the filename, completely eliminating the possibility of path traversal. As a workaround for unpatched systems, administrators should ensure that no users exist with specially crafted usernames containing path traversal characters, and that untrusted users cannot create arbitrary users on the system (GitHub Advisory, Debian Tracker).