CVE-2019-15901

Name of the Vulnerable Software and Affected Versions doas versions prior to 6.2

Description The issue is related to insufficient input validation in the setusercontext() function of the doas utility. This could allow a remote attacker to impact the integrity, confidentiality, and availability of protected information. The problem arises from a setusercontext(3) call being replaced with a single setuid(2) call on certain platforms, such as Linux and possibly NetBSD, which fails to change the group id or initialize secondary group ids.

Recommendations For doas versions prior to 6.2, update to version 6.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the setusercontext() function until a patch is available.