Package: sudo Version: 1.7.2p1-1 Severity: normal Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu lucid ubuntu-patch
In Ubuntu, we've applied the attached patch to achieve the following: * SECURITY UPDATE: properly verify path for the 'sudoedit' pseudo-command in match.c - http://sudo.ws/repos/sudo/rev/88f3181692fe - CVE-2010-0426 We thought you might be interested in doing the same. -- System Information: Debian Release: squeeze/sid APT prefers lucid-updates APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid-proposed'), (500, 'lucid') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-14-generic (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -u sudo-1.7.2p1/debian/changelog sudo-1.7.2p1/debian/changelog only in patch2: unchanged: --- sudo-1.7.2p1.orig/match.c +++ sudo-1.7.2p1/match.c @@ -381,7 +381,7 @@ char *sudoers_args; { /* Check for pseudo-commands */ - if (strchr(user_cmnd, '/') == NULL) { + if (sudoers_cmnd[0] != '/') { /* * Return true if both sudoers_cmnd and user_cmnd are "sudoedit" AND * a) there are no args in sudoers OR