Bug#532211: sudo: Segfault with -u # and non-existing user

2009-07-05 Thread Rafael Cunha de Almeida 
The problem happens at line 394 of set_perms.c file. Since the uid
number is invalid pw_name field of passwd struct is never assigned to a
string, that it is, its value is NULL.

I can't see a way of exploiting that problem and it seems to be already
fixed on sudo 1.7. Anyhow, in order to be in the safe side, maybe it is
a good idea to apply the attached patch to the lenny package.
diff -ur sudo-1.6.9p17.old/set_perms.c sudo-1.6.9p17/set_perms.c
--- sudo-1.6.9p17.old/set_perms.c	2007-11-27 21:41:23.0 -0200
+++ sudo-1.6.9p17/set_perms.c	2009-07-05 03:11:33.0 -0300
@@ -391,7 +391,9 @@
  */
 if (ngroups == -1) {
 	pw = runas_pw ? runas_pw : sudo_user.pw;
-	if (initgroups(pw-pw_name, pw-pw_gid)  0)
+	if (pw-pw_name == NULL)
+	log_error(MSG_ONLY, invalid username);
+	else if (initgroups(pw-pw_name, pw-pw_gid)  0)
 	log_error(USE_ERRNO|MSG_ONLY, can't set runas group vector);
 	if ((ngroups = getgroups(0, NULL))  0)
 	log_error(USE_ERRNO|MSG_ONLY, can't get runas ngroups);

Bug#532211: sudo: Segfault with -u # and non-existing user

2009-06-07 Thread David Sheldon 
Package: sudo
Version: 1.6.9p17-2
Severity: normal

If you pass -u \# and a non-existant user id, then it appears to segfault.

It's probably ok, but segfaults from security apps worry me.

$ sudo -u \#499 id
Segmentation fault

Expected result
$ sudo -u \#499 id
uid=499 gid=0(root) groups=0(root) 

or something like that.

It happens with apps other than id, so it probably isn't the app you run. Maybe 
it's the app that segfaults due to common libc code. Hmm.

David

-- System Information:
Debian Release: 5.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-etchnhalf.1-686 (SMP w/4 CPU cores)
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages sudo depends on:
ii  libc6 2.7-18 GNU C Library: Shared libraries
ii  libpam-modules1.0.1-5Pluggable Authentication Modules f
ii  libpam0g  1.0.1-5Pluggable Authentication Modules l

sudo recommends no packages.

sudo suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org