*** Bug 1208596 has been marked as a duplicate of this bug. ***

Issue has appeared in the changelog of sudo upstream.

In SLE:

| SUSE:SLE-15-SP4:Update | created request id 290896 |
| SUSE:SLE-15-SP5:GA     | created request id 290898 |

Updated Factory to 1.9.13p2 which addresses this issue.

created request id 1068080

Handing off to security-team.

Public!

CVE-2023-27320 was assigned to this issue.

Fixed a potential double-free bug when matching a sudoers rule that contains a per-command chroot directive (CHROOT=dir). This bug was introduced in sudo 1.9.8

https://www.sudo.ws/releases/stable/#1.9.13p2

This is an autogenerated message for OBS integration:
This bug (1208595) was mentioned in
https://build.opensuse.org/request/show/1072565 Factory / sudo

Resubmitted with modified *changes file: 

SUSE:SLE-15-SP4:Update 292876
SUSE:SLE-15-SP5:GA     292874

Assigning back to security team.

SUSE-SU-2023:1665-1: An update that solves three vulnerabilities and has three fixes can now be installed.

Category: security (moderate)
Bug References: 1203201, 1206483, 1206772, 1208595, 1209361, 1209362
CVE References: CVE-2023-27320, CVE-2023-28486, CVE-2023-28487
Sources used:
openSUSE Leap Micro 5.3 (src): sudo-1.9.9-150400.4.26.1
openSUSE Leap 15.4 (src): sudo-1.9.9-150400.4.26.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): sudo-1.9.9-150400.4.26.1
SUSE Linux Enterprise Micro 5.3 (src): sudo-1.9.9-150400.4.26.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): sudo-1.9.9-150400.4.26.1
SUSE Linux Enterprise Micro 5.4 (src): sudo-1.9.9-150400.4.26.1
Basesystem Module 15-SP4 (src): sudo-1.9.9-150400.4.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

done, closing