We fixed Heartbleed. We didn’t fix the open source funding problem that still asks the people securing our infrastructure to volunteer while we overpay commodity app builders.
There was news last week about an issue that’s pretty much been beneath the radar for a couple of years. I’m trying to piece this together two years later from what I’m reading, but it appears that in February 2024, developer Todd Miller posted something of a plea on his personal website:
“For the past 30+ years I’ve been the maintainer of sudo,” he wrote. “I’m currently in search of a sponsor to fund continued sudo maintenance and development. If you or your organization is interested in sponsoring sudo, please let me know.”
That was about the entire message, and it’s remained on his site’s homepage for the past two years. As far as I can tell, until last week, outside a few posts on sites like Reddit this remained largely unreported. The first I heard about it was on Tuesday, when Brandon Vigliarolo gave it about 500 words on The Register, which was followed on Wednesday by another short article on Linuxiac from Bobby Borisov.
Shades of Heartbleed! This is software that’s certainly used much more often than OpenSSL, and likely with an overall user base that’s much less experienced.
Heartbleed, you might remember, was a serious security vulnerability that went undiscovered for ages. It’s discovery revealed the open secret that OpenSSL — a primary component used for remotely accessing servers — was critically under‑resourced, with a single person working on it full time and “a couple of people making regular commits.” It was also vastly underfunded. News reports at the time put funding at something less than $2,000 annually.
You also might remember that for more than a few years after the vulnerability was discovered in 2014 — which allowed bad actors to see large chunks of data being held in memory without leaving a record of the intrusion — people were worried about potential consequences down the line.
The current issue with sudo could end up being worse than Heartbleed if it continues. We’ve already dodged a few bullets:
- CVE‑2021‑3156: Called “Baron Samedit” — after the Vodou loa Baron Samedi — this was a heap-based buffer overflow in sudoedit that let any local user gain root on many Unix-like systems with default configurations, which had been present for years before being discovered in 2021.
- CVE‑2025‑32463: This one got a 9.3 out of 10 severity rating. Sudo’s chroot handling would allow low-privilege local users to gain root on Linux systems. CISA put it in the Known Exploited Vulnerabilities catalog after seeing it being exploited in‑the‑wild, and ordered federal agencies to patch by a deadline.
- Other high‑severity sudo bugs (including another 9.3 vulnerability discovered in 2025) that could give local attackers root on many distributions if left unpatched.
You would think that since there’s not an enterprise on the planet that’s using Linux or Unix-like systems that isn’t trusting the integrity of its entire infrastructure to sudo, that somebody would sound the alarm and some of the big tech bros would be getting their underlings on the phone to Miller to see what was needed to make things right.
The trouble is, enterprises don’t operate on the “stitch in time saves nine” philosophy, but use the “oil the wheel after it squeaks” approach. That means, when sudo finally squeaks loud enough for bottom-line-focused enterprises to hear, it might be because another Heartbleed — or worse — has been let loose.
Isn’t this exactly what the Open Source Security Foundation was established to handle in the wake of OpenSSL’s difficulties?
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
Be First to Comment