It made absolutely no sense for Ubuntu to rush to Rust utilities. Rust is such a moving target when it comes to the compiler, and it’s not the savior for memory safe programming. As a programmer you’re supposed to validate variables in the code to make sure things don’t escape their memory space. But the rush to memory safe languages is primarily a move by megacorps who like to get rid of the really experienced programmers for the new graduates that are cheap, especially if hired in other countries. But there may be another angle to rush for Rust, and that’s vibe coding with megacorps admitting a good chunk of their code was done by AI, adding AI slop to their code. This post had a great rundown on the current situation. And I was reminded of another Rust project I run besides Electrs (Electrum personnel server in Rust), and that’s my fish shells I switch all of my computers to, though I haven’t had an issue as they tested it pretty thoroughly before the move in version 4.0. And in conclusion, Ubuntu made this move to Rust utilities to force the projects to mature quickly, even though it was hurting users. And Ubuntu is trash these days for a myriad of other reasons, but they clearly don’t respect their users in shipping code that isn’t ready.
https://www.phoronix.com/news/sudo-rs-security-ubuntu-25.10
By Michael Larabel
The Ubuntu 25.10 transition to using some Rust system utilities continues proving quite rocky. Beyond some early performance issues with Rust Coreutils, breakage for some executables, and broken unattended upgrades due to a Rust Coreutils bug, it’s also sudo-rs now causing Ubuntu developers some headaches. There are two moderate security issues affecting sudo-rs, the Rust version of sudo being used by Ubuntu 25.10.
Initially opened as a private bug report last week was [sudo-rs] Update to address two moderate vulnerabilities.
“Upstream will release a fix for two moderate vulnerabilities targeting Friday (Nov 7 2025).
The expected coordinated release of this fix is Monday (Nov 10 2025).
One of these vulnerabilities is CVE-2025-64170.”
That bug report has since been made public with the upstream sudo-rs fixes being committed. Ubuntu 25.10 is also seeing a stable release update (SRU) to address these two security issues.
One of the patches is to prevent the sudo password from being leaked in case of a timeout or sudo being killed. Another patch is to use enum for the feedback parameter. Another patch to ensure feedback is always erased before exiting the read unbuffered code. Another change is also made to not treat backspace as a password character when the password is empty.
I haven’t seen any of the CVE reports made public yet for these sudo-rs security issues, but even alone the one for potentially leaking the sudo password in case of timeout or sudo being killed is significant.
Released now is sudo-rs 0.2.10 with the latest fixes and other changes. The sudo-rs package for Ubuntu 25.10 is being SRU’ed to users.