Freek Dijkstra wrote: > Martin Schulze wrote: > > > Proposed updates for woody and sarge are here: > > http://klecker.debian.org/~joey/security/sudo/ > > I'd be glad if you could test them.r > > That's awesome. Thanks! Here, have some karma :-)
:) > I just installed your version on sarge using: > - Remove my (custom) "Defaults" line in my /etc/sudoers file > - sudo dpkg -i sudo_1.6.8p7-1.4_i386.deb > > Most environment variables seem there as I would expect, and those I > don't expect are indeed removed. The only issue I still have is that the > manual page should still be updated. I noticed some changes in > sudoers.pod (in sudo_1.6.8p7-1.4.diff.gz), but somehow that did not pass > to the sudoers.5.gz man page in the sudo_1.6.8p7-1.4_i386.deb. Umh... That's a packaging bug, I'll get it recreate the manpage explicitly > I just read through all bugreports, and carefully tried to reproduce > each one to see if all is well now. > > Most importantly, the variables that are kept are indeed now the same as > I would get when I specify "Defaults env_reset". Specifically: > HOME variable kept (closes #349587) > SHELL variable kept (closes #350776) > DISPLAY variable kept (closes #349085) > XAUTHORITY variable kept (closes #349549) These are not passed through by env_reset with the original source, but only with this patch. > Two variables are not kept: > EDITOR variable kept (bug #349196). Not important. > LC_ALL variable kept in earlier releases, including sudo_1.6.8p7-1.3 > (the previous security fix). I've added the locale variables again. > Update manual pages (#349129): > NOT FIXED. Done now. > Given that some things still need manual tweaking (e.g. EDITOR or LC_* > variables), it is good to update the page. I noticed that one of the > file you created, sudo_1.6.8p7-1.4.diff.gz, has some manual changes to > sudoers.pod, but these changes are not reflected in the sudoers.5.gz man > page in the sudo_1.6.8p7-1.4_i386.deb. Additionally, if you have not > done so, here is also a patch for the man pages: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=349196;msg=34 Too many unrelated changes, rejected, should potentially be applied to the version in sid->etch. > sudo -V output is misleading: it gives a very incomplete list of > env vars that are removed. (also #349129) > NOT FIXED. Well... yes, it is misleading. That's due to the program structure. > To be honest, I'm not sure if this should be fixed now. On one hand it > would be good, but I fear that it may introduce too much new code (which > seem a bad thing for a security patch). I would leave it open for etch, > but not fix it in woody or sarge, but the security team can decide best. It should be adjusted in sid instead. > Complaint about 'sudo vi <anyfile>': > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=349196;msg=15 > Status: I can't reproduce it (or it is simply fixed now) Problem was missing $HOME. > Complaint about "sudo joe filename": > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=349196;msg=10 > Status: I can't reproduce it (or it is simply fixed now) Problem was missing $HOME. > Complaint that "Defaults env_reset, env_keep=*, always_set_home" gives > two PATH variables instead of one (#354431). > NOT FIXED. > This is indeed an important bug, but I think it is not directly related > to the security bug, and should thus just be fixed in etch. Not security related. > Finally, I suggest to add a /usr/share/doc/sudo/READM.Debian file with > this contents: Ok. Thanks a lot. I've produced new packages and copied them to the same location. Regards, Joey -- Linux - the choice of a GNU generation. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]