The problem happens at line 394 of set_perms.c file. Since the uid
number is invalid pw_name field of passwd struct is never assigned to a
string, that it is, its value is NULL.
I can't see a way of exploiting that problem and it seems to be already
fixed on sudo 1.7. Anyhow, in order to be in the safe side, maybe it is
a good idea to apply the attached patch to the lenny package.
diff -ur sudo-1.6.9p17.old/set_perms.c sudo-1.6.9p17/set_perms.c
--- sudo-1.6.9p17.old/set_perms.c 2007-11-27 21:41:23.000000000 -0200
+++ sudo-1.6.9p17/set_perms.c 2009-07-05 03:11:33.000000000 -0300
@@ -391,7 +391,9 @@
*/
if (ngroups == -1) {
pw = runas_pw ? runas_pw : sudo_user.pw;
- if (initgroups(pw->pw_name, pw->pw_gid) < 0)
+ if (pw->pw_name == NULL)
+ log_error(MSG_ONLY, "invalid username");
+ else if (initgroups(pw->pw_name, pw->pw_gid) < 0)
log_error(USE_ERRNO|MSG_ONLY, "can't set runas group vector");
if ((ngroups = getgroups(0, NULL)) < 0)
log_error(USE_ERRNO|MSG_ONLY, "can't get runas ngroups");
