Package: sudo
Version: 1.7.2p1-1
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu lucid ubuntu-patch
In Ubuntu, we've applied the attached patch to achieve the following:
* SECURITY UPDATE: properly verify path for the 'sudoedit' pseudo-command
in match.c
- http://sudo.ws/repos/sudo/rev/88f3181692fe
- CVE-2010-0426
We thought you might be interested in doing the same.
-- System Information:
Debian Release: squeeze/sid
APT prefers lucid-updates
APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500,
'lucid-proposed'), (500, 'lucid')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-14-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -u sudo-1.7.2p1/debian/changelog sudo-1.7.2p1/debian/changelog
only in patch2:
unchanged:
--- sudo-1.7.2p1.orig/match.c
+++ sudo-1.7.2p1/match.c
@@ -381,7 +381,7 @@
char *sudoers_args;
{
/* Check for pseudo-commands */
- if (strchr(user_cmnd, '/') == NULL) {
+ if (sudoers_cmnd[0] != '/') {
/*
* Return true if both sudoers_cmnd and user_cmnd are "sudoedit" AND
* a) there are no args in sudoers OR
