Hi,
I've prepared an NMU for sudo (versioned as 1.7.2p1-1.1) and uploaded
it to DELAYED/5. The diff is attached to this message. If you'd
like me to cancel or reschedule the upload, please let me know.
It includes the upstream change to fix this problem shown at
http://sudo.ws/repos/sudo/rev/88f3181692fe
--
Matt http://ftbfs.org/kraai
diff -u sudo-1.7.2p1/debian/changelog sudo-1.7.2p1/debian/changelog
--- sudo-1.7.2p1/debian/changelog
+++ sudo-1.7.2p1/debian/changelog
@@ -1,3 +1,10 @@
+sudo (1.7.2p1-1.1) unstable; urgency=low
+
+ * patch from upstream to prevent the special command "sudoedit" from
+ running any executable named sudoedit, closes: #570737 (CVE-2010-0426)
+
+ -- Matt Kraai <kr...@debian.org> Fri, 26 Feb 2010 06:56:35 -0800
+
sudo (1.7.2p1-1) unstable; urgency=low
* new upstream version
only in patch2:
unchanged:
--- sudo-1.7.2p1.orig/match.c
+++ sudo-1.7.2p1/match.c
@@ -381,7 +381,7 @@
char *sudoers_args;
{
/* Check for pseudo-commands */
- if (strchr(user_cmnd, '/') == NULL) {
+ if (sudoers_cmnd[0] != '/') {
/*
* Return true if both sudoers_cmnd and user_cmnd are "sudoedit" AND
* a) there are no args in sudoers OR
