CVE-2019-25016
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2019-25016
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-25016.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2019-25016
- Downstream
- Published
- 2021-01-28T20:15:12Z
- Modified
- 2025-10-10T01:55:37.465067Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In OpenDoas from 6.6 to 6.8 the users PATH variable was incorrectly inherited by authenticated executions if the authenticating rule allowed the user to execute any command. Rules that only allowed to authenticated user to execute specific commands were not affected by this issue.
- References
-
- https://github.com/Duncaen/OpenDoas/commit/01c658f8c45cb92a343be5f32aa6da70b2032168
- https://github.com/Duncaen/OpenDoas/commit/d5acd52e2a15c36a8e06f9103d35622933aa422d
- https://github.com/Duncaen/OpenDoas/issues/45
- https://github.com/Duncaen/OpenDoas/releases/tag/v6.8.1
- https://security.gentoo.org/glsa/202107-11
Affected packages
Git / github.com/duncaen/opendoas
Affected ranges
- Type
- GIT
- Repo
- https://github.com/duncaen/opendoas
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixedFixed
Database specific
{
"vanir_signatures": [
{
"id": "CVE-2019-25016-04ee6c31",
"digest": {
"length": 4308.0,
"function_hash": "7098330978455536148109103280447537240"
},
"source": "https://github.com/duncaen/opendoas/commit/d5acd52e2a15c36a8e06f9103d35622933aa422d",
"signature_version": "v1",
"target": {
"function": "main",
"file": "doas.c"
},
"deprecated": false,
"signature_type": "Function"
},
{
"id": "CVE-2019-25016-1dbd081b",
"digest": {
"line_hashes": [
"231007709997070606970432031264988504774"
],
"threshold": 0.9
},
"source": "https://github.com/duncaen/opendoas/commit/01c658f8c45cb92a343be5f32aa6da70b2032168",
"signature_version": "v1",
"target": {
"file": "doas.h"
},
"deprecated": false,
"signature_type": "Line"
},
{
"id": "CVE-2019-25016-2c8ed0c4",
"digest": {
"line_hashes": [
"231110764212316461141416984353451739909",
"48441911000450214705815811512521461542",
"151168221494388165766927318223219874647",
"249400151921621738828160597630264960307",
"75344284143316011413155972510703904260",
"107835079014415195767658276799020314599",
"3624704062695225774971047727750443519",
"210902324541330136036704086401647312044",
"12395157652841821889255212881233562243",
"152904917964781074889615999068623345429",
"121619290354750308327406962442542535112",
"201924830262806423905011167628223520240",
"309228072397450860923504480371459819663",
"187481220286621766275240747572787731475",
"250284520816918137950741772928248576543",
"208467881117005140176959003017775131823",
"91773150467752056710322922946048359888",
"170788070311357272796998996708653839945",
"313498383051195508754530838091569028152",
"339977404130653776622835270519146694715",
"150474329929098544001714432674839672679",
"256244181334327505598513019873580600364",
"255142214800660335652924569546819404660",
"50571261654530264816494450194921034954",
"252867978570132254648626344380829943254",
"254856661739382988390247707698747057420",
"152086245846992507187176182062410045549",
"67914587962332430480993194254472678792",
"63804212172144207191189564382493189062",
"145990509849831815130987437565713594383",
"307740484561858907319207558001973381106",
"6983776394035282252805287756591399283",
"176549937264176799156569583778642439029"
],
"threshold": 0.9
},
"source": "https://github.com/duncaen/opendoas/commit/01c658f8c45cb92a343be5f32aa6da70b2032168",
"signature_version": "v1",
"target": {
"file": "env.c"
},
"deprecated": false,
"signature_type": "Line"
},
{
"id": "CVE-2019-25016-2ea24e83",
"digest": {
"length": 5566.0,
"function_hash": "42908504996377818008225957040937696126"
},
"source": "https://github.com/duncaen/opendoas/commit/01c658f8c45cb92a343be5f32aa6da70b2032168",
"signature_version": "v1",
"target": {
"function": "main",
"file": "doas.c"
},
"deprecated": false,
"signature_type": "Function"
},
{
"id": "CVE-2019-25016-6e88d6dc",
"digest": {
"line_hashes": [
"82421280381351964465846937784636923593",
"187492228799553088891971297768223607001",
"339133227222824900054163433920920231016",
"203943906308288206055648740558614812237",
"63036852031059749637822516844654605023",
"182413496885526328057083603134424165361",
"197453611604326364852252673376264939524",
"85172692533219297388325506270839739901",
"57672792752139126986797701043401362666"
],
"threshold": 0.9
},
"source": "https://github.com/duncaen/opendoas/commit/01c658f8c45cb92a343be5f32aa6da70b2032168",
"signature_version": "v1",
"target": {
"file": "doas.c"
},
"deprecated": false,
"signature_type": "Line"
},
{
"id": "CVE-2019-25016-7400f127",
"digest": {
"line_hashes": [
"162194002426821285644788617706889120027",
"147290946160661880513048956819438232208",
"333992195635180149045190548998442126096",
"203943906308288206055648740558614812237",
"272791045080084209974340772837191315903",
"93886895216760195033355549902898906689",
"135935894908028979400589891588076374315",
"325470285944737631327347462970541281906"
],
"threshold": 0.9
},
"source": "https://github.com/duncaen/opendoas/commit/d5acd52e2a15c36a8e06f9103d35622933aa422d",
"signature_version": "v1",
"target": {
"file": "doas.c"
},
"deprecated": false,
"signature_type": "Line"
},
{
"id": "CVE-2019-25016-8abe33d2",
"digest": {
"length": 364.0,
"function_hash": "289383679655243289808284369618779008913"
},
"source": "https://github.com/duncaen/opendoas/commit/01c658f8c45cb92a343be5f32aa6da70b2032168",
"signature_version": "v1",
"target": {
"function": "prepenv",
"file": "env.c"
},
"deprecated": false,
"signature_type": "Function"
},
{
"id": "CVE-2019-25016-c22b4a1c",
"digest": {
"length": 741.0,
"function_hash": "164581048558700203767737999635241135344"
},
"source": "https://github.com/duncaen/opendoas/commit/01c658f8c45cb92a343be5f32aa6da70b2032168",
"signature_version": "v1",
"target": {
"function": "createenv",
"file": "env.c"
},
"deprecated": false,
"signature_type": "Function"
}
]
}