The Ubuntu 25.10 transition to using some Rust system utilities continues proving quite rocky. Beyond some early performance issues with Rust Coreutils, breakage for some executables, and broken unattended upgrades due to a Rust Coreutils bug, it’s also sudo-rs now causing Ubuntu developers some headaches. There are two moderate security issues affecting sudo-rs, the Rust version of sudo being used by Ubuntu 25.10.
Initially opened as a private bug report last week was [sudo-rs] Update to address two moderate vulnerabilities.
“Upstream will release a fix for two moderate vulnerabilities targeting Friday (Nov 7 2025).
The expected coordinated release of this fix is Monday (Nov 10 2025).
One of these vulnerabilities is CVE-2025-64170.”
That bug report has since been made public with the upstream sudo-rs fixes being committed. Ubuntu 25.10 is also seeing a stable release update (SRU) to address these two security issues.
One of the patches is to prevent the sudo password from being leaked in case of a timeout or sudo being killed. Another patch is to use enum for the feedback parameter. Another patch to ensure feedback is always erased before exiting the read unbuffered code. Another change is also made to not treat backspace as a password character when the password is empty.
I haven’t seen any of the CVE reports made public yet for these sudo-rs security issues, but even alone the one for potentially leaking the sudo password in case of timeout or sudo being killed is significant.
Released now is sudo-rs 0.2.10 with the latest fixes and other changes. The sudo-rs package for Ubuntu 25.10 is being SRU’ed to users.
