Description
An issue was discovered in slicer69 doas before 6.2 on certain platforms other than OpenBSD. On platforms without strtonum(3), sscanf was used without checking for error cases. Instead, the uninitialized variable errstr was checked and in some cases returned success even if sscanf failed. The result was that, instead of reporting that the supplied username or group name did not exist, it would execute the command as root.
References (2)
Core 2
Core References
Patch x_refsource_misc
https://github.com/slicer69/doas/commit/2f83222829448e5bc4c9391d607ec265a1e06531
Release Notes x_refsource_misc
https://github.com/slicer69/doas/compare/6.1p1...6.2
Scores
CVSS v3
9.8
EPSS
0.0211
EPSS Percentile
79.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-863
CWE-252
CWE-908
CWE-754
Status
published
Products (1)
doas_project/doas
< 6.2
Published
Oct 18, 2019
Tracked Since
Feb 18, 2026