Bug#532211: sudo: Segfault with -u # and non-existing user
The problem happens at line 394 of set_perms.c file. Since the uid number is invalid pw_name field of passwd struct is never assigned to a string, that it is, its value is NULL. I can't see a way of exploiting that problem and it seems to be already fixed on sudo 1.7. Anyhow, in order to be in the safe side, maybe it is a good idea to apply the attached patch to the lenny package. diff -ur sudo-1.6.9p17.old/set_perms.c sudo-1.6.9p17/set_perms.c --- sudo-1.6.9p17.old/set_perms.c 2007-11-27 21:41:23.0 -0200 +++ sudo-1.6.9p17/set_perms.c 2009-07-05 03:11:33.0 -0300 @@ -391,7 +391,9 @@ */ if (ngroups == -1) { pw = runas_pw ? runas_pw : sudo_user.pw; - if (initgroups(pw-pw_name, pw-pw_gid) 0) + if (pw-pw_name == NULL) + log_error(MSG_ONLY, invalid username); + else if (initgroups(pw-pw_name, pw-pw_gid) 0) log_error(USE_ERRNO|MSG_ONLY, can't set runas group vector); if ((ngroups = getgroups(0, NULL)) 0) log_error(USE_ERRNO|MSG_ONLY, can't get runas ngroups);
Bug#532211: sudo: Segfault with -u # and non-existing user
Package: sudo Version: 1.6.9p17-2 Severity: normal If you pass -u \# and a non-existant user id, then it appears to segfault. It's probably ok, but segfaults from security apps worry me. $ sudo -u \#499 id Segmentation fault Expected result $ sudo -u \#499 id uid=499 gid=0(root) groups=0(root) or something like that. It happens with apps other than id, so it probably isn't the app you run. Maybe it's the app that segfaults due to common libc code. Hmm. David -- System Information: Debian Release: 5.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.24-etchnhalf.1-686 (SMP w/4 CPU cores) Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/bash Versions of packages sudo depends on: ii libc6 2.7-18 GNU C Library: Shared libraries ii libpam-modules1.0.1-5Pluggable Authentication Modules f ii libpam0g 1.0.1-5Pluggable Authentication Modules l sudo recommends no packages. sudo suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org