Package: sudo
Version: 1.6.9p17-3
Severity: normal
Tags: patch
sudo has a use-after-free bug when parsing wildcards in command names
in sudoers. The symptom is that it can think a command does not match
the wildcard when, really, it does. This happens semi-randomly, I can
only reproduce it on certain wildcard matches on certain systems. But
the patch is obvious enough.
Upstream has rearranged the code slightly in 1.7 (maybe to address this
same bug), so this only affects lenny, not squeeze.
Fix use-after-free bug in parsing wildcard commands in sudoers.
*ap is inside the gl struct.
--- sudo-1.6.9p17/parse.c
+++ sudo-1.6.9p17/parse.c
@@ -316,9 +316,11 @@
break;
}
}
- globfree(&gl);
- if (*ap == NULL)
+ if (*ap == NULL) {
+ globfree(&gl);
return(FALSE);
+ }
+ globfree(&gl);
if (!sudoers_args ||
(!user_args && sudoers_args && !strcmp("\"\"", sudoers_args)) ||
