Package: sudo Severity: grave Tags: security Justification: user security hole
Please see http://www.gratisoft.us/sudo/alerts/secure_path.html Patch for Lenny is attached, for Squeeze it's likely best to update to 1.7.2p7. Cheers, Moritz
diff -urNa sudo-1.6.9p22/env.c sudo-1.6.9p23/env.c --- sudo-1.6.9p22/env.c Wed Apr 7 06:32:26 2010 +++ sudo-1.6.9p17/env.c Fri May 28 09:54:46 2010 @@ -270,6 +270,7 @@ { char **nep; size_t varlen; + int found = FALSE; /* Make sure there is room for the new entry plus a NULL. */ if (e->env_len + 2 > e->env_size) { @@ -278,20 +279,34 @@ } if (dupcheck) { - varlen = (strchr(str, '=') - str) + 1; + varlen = (strchr(str, '=') - str) + 1; - for (nep = e->envp; *nep; nep++) { + for (nep = e->envp; !found && *nep != NULL; nep++) { + if (strncmp(str, *nep, varlen) == 0) { + *nep = str; + found = TRUE; + } + } + /* Prune out duplicate variables. */ + if (found) { + while (*nep != NULL) { if (strncmp(str, *nep, varlen) == 0) { - *nep = str; - return; + memmove(nep, nep + 1, + (e->env_len - (nep - e->envp)) * sizeof(char *)); + e->env_len--; + } else { + nep++; } } - } else - nep = e->envp + e->env_len; + } + } - e->env_len++; - *nep++ = str; - *nep = NULL; + if (!found) { + nep = e->envp + e->env_len; + e->env_len++; + *nep++ = str; + *nep = NULL; + } } /*