Package: sudo
Severity: grave
Tags: security
Justification: user security hole
Please see http://www.gratisoft.us/sudo/alerts/secure_path.html
Patch for Lenny is attached, for Squeeze it's likely best to
update to 1.7.2p7.
Cheers,
Moritz
diff -urNa sudo-1.6.9p22/env.c sudo-1.6.9p23/env.c
--- sudo-1.6.9p22/env.c Wed Apr 7 06:32:26 2010
+++ sudo-1.6.9p17/env.c Fri May 28 09:54:46 2010
@@ -270,6 +270,7 @@
{
char **nep;
size_t varlen;
+ int found = FALSE;
/* Make sure there is room for the new entry plus a NULL. */
if (e->env_len + 2 > e->env_size) {
@@ -278,20 +279,34 @@
}
if (dupcheck) {
- varlen = (strchr(str, '=') - str) + 1;
+ varlen = (strchr(str, '=') - str) + 1;
- for (nep = e->envp; *nep; nep++) {
+ for (nep = e->envp; !found && *nep != NULL; nep++) {
+ if (strncmp(str, *nep, varlen) == 0) {
+ *nep = str;
+ found = TRUE;
+ }
+ }
+ /* Prune out duplicate variables. */
+ if (found) {
+ while (*nep != NULL) {
if (strncmp(str, *nep, varlen) == 0) {
- *nep = str;
- return;
+ memmove(nep, nep + 1,
+ (e->env_len - (nep - e->envp)) * sizeof(char *));
+ e->env_len--;
+ } else {
+ nep++;
}
}
- } else
- nep = e->envp + e->env_len;
+ }
+ }
- e->env_len++;
- *nep++ = str;
- *nep = NULL;
+ if (!found) {
+ nep = e->envp + e->env_len;
+ e->env_len++;
+ *nep++ = str;
+ *nep = NULL;
+ }
}
/*