-2

I have found a vulnerability in sudo and I was able to reproduce it on multiple instances of xubuntu. It didn't seem to work on debian.

How do I report it properly? I have read so much about responsible disclosure, but noone says where to look for information...

naugtur
  • 284
  • 3
  • 11
  • 1
    Are you certain the bug is in sudo, and not the xubuntu specific configuration? Try using your Debian config on Xubuntu. – Zoredache Mar 14 '13 at 20:53
  • 1
    You can find a software vulnerability but have to ask how to report it to the maintainer? – Aaron Copley Mar 14 '13 at 21:02
  • @AaronCopley That's right. It's the first time I found a vuln that I wasn't able to google. My belief in `stack.*` community made me think it's a good idea to ask before deciding what to do. And I was encouraged to choose an option that wasn't my first choice. (I didn't know launchpad bugs can be private; why would I?) Are you trying to discourage that kind of behaviour? – naugtur Mar 14 '13 at 21:58
  • @Zoredache You're right that it's ubuntu-specific. But I used the same config on both systems. It's about something lower-level than sudoers. – naugtur Mar 14 '13 at 22:01

2 Answers2

2

This article describes how to file a bug in Xubuntu. What is not said is that during the process you will be redirected to Launchpad where you will be able to mark the bug as a security vulnerability, see screenshot below:

This bug is a security vulnerability

Huygens
  • 1,708
  • 3
  • 20
  • 36
1

From the man page, you can find the sudo homepage here

There seems to be a mailing list for maintainers here

For ubuntu specific bugs you can use security@ubuntu.com

gparent
  • 3,601
  • 2
  • 24
  • 28
  • ok, but it looks like it's ubuntu specific. does this change anything? – naugtur Mar 14 '13 at 20:51
  • 1
    For ubuntu you can use security@ubuntu.com. By the way, the only thing I did was roughly rephrase your question into Google's search box... – gparent Mar 14 '13 at 20:52
  • I know I look really lame asking about that, but when I googled there was a lot of results saying different things... I wanted to ask people who did stuff like that already. Maybe I should have gone to security stackexchange. my bad. – naugtur Mar 14 '13 at 21:10