I can confirm this affects our 10.04 LTS server (Sudo version 1.7.2p1), and is fixed in 10.10 (Sudo version 1.7.2p7). (The upstream fix was released in 1.7.2p3)
Note that this bug may be more serious than indicated: 1. It does not only affect the case of having an unresolvable hostname, but potentially any call to log_error(). (If i understand correctly, all log_error() calls with the MSG_ONLY flag set will be corrupted.) 2. The impact is not limited to emailing: in addition to send_mail(), both do_syslog() and do_logfile() are called with the bad buffer. From testing on our server, this results in all affected messages being omitted from syslog, too. (Just to confirm: the upstream patch fixes logging in addition to emailing.) Given this, i think this bug should be escalated in severity to a potential security vulnerability: people rely on sudo's logging to work as advertised , and this bug causes a complete failure to log certain error messages that may indicate a real security breach. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/530073 Title: sudo emails contain random buffer contents if hostname can't be resolved -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
