Sudo’s build system has native support for compiling with Sanitizers when using the gcc or clang compilers. It is recommended that you use the configure options described below rather than trying to adjust the CC, CFLAGS or LDFLAGS Makefile options. Failure to do so may result in memory leak false positives. Building sudo with sanitizer support To build sudo with sanitizer support you must use the --enable-sanitizer configure option. This will add the -fsanitize and -fno-omit-frame-pointer ...| Sudo
Double free with per-command chroot sudoers rules| Sudo
Static analysis security testing (SAST) is a way of finding flaws in software without running it in the traditional sense. Source code is checked for dangerous patterns and data flow analysis is performed to find potential errors. One of the advantages of SAST is that it is capable of finding errors in code paths that are unlikely, but still possible, to happen at run-time. Multiple SAST tools are used during sudo development.| Sudo
The Sudo Project takes security seriously. If you believe you have found a security vulnerability in Sudo, you can report it to us as described below. Reporting Security Issues Do not report security vulnerabilities through public GitHub issues or Bugzilla. Instead, report them via email to Todd.Miller@sudo.ws. You may encrypt your message with PGP if you would like. The current PGP key has the fingerprint 59D1 E9CC BA2B 3767 04FD D35B A9F4 C021 CEA4 70FB and may be downloaded from the sudo.| Sudo
Fuzz testing is an automated method of finding bugs (and potential security vulnerabilities) by passing random input to a program or function. It is often performed in conjunction with a tool that can detect incorrect or undefined behavior, such as out-of-bounds access (buffer overflow/underflow), use of uninitialized data, use of memory after it has been freed, and freeing the same memory more than once. For testing sudo, we use both Address Sanitizer (ASAN) and Undefined Behavior Sanitizer ...| Sudo