CVE-2019-25016

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-25016

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-25016.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-25016

Downstream

ALPINE-CVE-2019-25016

Published

2021-01-28T20:15:12.663Z

Modified

2025-11-20T11:02:19.198734Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In OpenDoas from 6.6 to 6.8 the users PATH variable was incorrectly inherited by authenticated executions if the authenticating rule allowed the user to execute any command. Rules that only allowed to authenticated user to execute specific commands were not affected by this issue.

References

Affected packages

Git / github.com/duncaen/opendoas

Affected ranges

Type: GIT
Repo: https://github.com/duncaen/opendoas
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

01c658f8c45cb92a343be5f32aa6da70b2032168

Fixed

24b1a957cbe55363ca06a62b10c936e5c53e3423

Fixed

d5acd52e2a15c36a8e06f9103d35622933aa422d

Affected versions

v0.*

v0.1

v0.2

v0.3

v0.3.1

v0.3.2

v6.*

v6.0

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "source": "https://github.com/duncaen/opendoas/commit/d5acd52e2a15c36a8e06f9103d35622933aa422d",
        "id": "CVE-2019-25016-04ee6c31",
        "signature_type": "Function",
        "target": {
            "file": "doas.c",
            "function": "main"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "7098330978455536148109103280447537240",
            "length": 4308.0
        }
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/duncaen/opendoas/commit/01c658f8c45cb92a343be5f32aa6da70b2032168",
        "id": "CVE-2019-25016-1dbd081b",
        "signature_type": "Line",
        "target": {
            "file": "doas.h"
        },
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "231007709997070606970432031264988504774"
            ]
        }
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/duncaen/opendoas/commit/01c658f8c45cb92a343be5f32aa6da70b2032168",
        "id": "CVE-2019-25016-2c8ed0c4",
        "signature_type": "Line",
        "target": {
            "file": "env.c"
        },
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "231110764212316461141416984353451739909",
                "48441911000450214705815811512521461542",
                "151168221494388165766927318223219874647",
                "249400151921621738828160597630264960307",
                "75344284143316011413155972510703904260",
                "107835079014415195767658276799020314599",
                "3624704062695225774971047727750443519",
                "210902324541330136036704086401647312044",
                "12395157652841821889255212881233562243",
                "152904917964781074889615999068623345429",
                "121619290354750308327406962442542535112",
                "201924830262806423905011167628223520240",
                "309228072397450860923504480371459819663",
                "187481220286621766275240747572787731475",
                "250284520816918137950741772928248576543",
                "208467881117005140176959003017775131823",
                "91773150467752056710322922946048359888",
                "170788070311357272796998996708653839945",
                "313498383051195508754530838091569028152",
                "339977404130653776622835270519146694715",
                "150474329929098544001714432674839672679",
                "256244181334327505598513019873580600364",
                "255142214800660335652924569546819404660",
                "50571261654530264816494450194921034954",
                "252867978570132254648626344380829943254",
                "254856661739382988390247707698747057420",
                "152086245846992507187176182062410045549",
                "67914587962332430480993194254472678792",
                "63804212172144207191189564382493189062",
                "145990509849831815130987437565713594383",
                "307740484561858907319207558001973381106",
                "6983776394035282252805287756591399283",
                "176549937264176799156569583778642439029"
            ]
        }
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/duncaen/opendoas/commit/01c658f8c45cb92a343be5f32aa6da70b2032168",
        "id": "CVE-2019-25016-2ea24e83",
        "signature_type": "Function",
        "target": {
            "file": "doas.c",
            "function": "main"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "42908504996377818008225957040937696126",
            "length": 5566.0
        }
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/duncaen/opendoas/commit/01c658f8c45cb92a343be5f32aa6da70b2032168",
        "id": "CVE-2019-25016-6e88d6dc",
        "signature_type": "Line",
        "target": {
            "file": "doas.c"
        },
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "82421280381351964465846937784636923593",
                "187492228799553088891971297768223607001",
                "339133227222824900054163433920920231016",
                "203943906308288206055648740558614812237",
                "63036852031059749637822516844654605023",
                "182413496885526328057083603134424165361",
                "197453611604326364852252673376264939524",
                "85172692533219297388325506270839739901",
                "57672792752139126986797701043401362666"
            ]
        }
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/duncaen/opendoas/commit/d5acd52e2a15c36a8e06f9103d35622933aa422d",
        "id": "CVE-2019-25016-7400f127",
        "signature_type": "Line",
        "target": {
            "file": "doas.c"
        },
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "162194002426821285644788617706889120027",
                "147290946160661880513048956819438232208",
                "333992195635180149045190548998442126096",
                "203943906308288206055648740558614812237",
                "272791045080084209974340772837191315903",
                "93886895216760195033355549902898906689",
                "135935894908028979400589891588076374315",
                "325470285944737631327347462970541281906"
            ]
        }
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/duncaen/opendoas/commit/01c658f8c45cb92a343be5f32aa6da70b2032168",
        "id": "CVE-2019-25016-8abe33d2",
        "signature_type": "Function",
        "target": {
            "file": "env.c",
            "function": "prepenv"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "289383679655243289808284369618779008913",
            "length": 364.0
        }
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/duncaen/opendoas/commit/01c658f8c45cb92a343be5f32aa6da70b2032168",
        "id": "CVE-2019-25016-c22b4a1c",
        "signature_type": "Function",
        "target": {
            "file": "env.c",
            "function": "createenv"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "164581048558700203767737999635241135344",
            "length": 741.0
        }
    }
]