fix from Peter Samuelson for use-after-free bug parsing wildcards in sudoers

author Bdale Garbee <bdale@gag.com>

Tue, 15 Feb 2011 04:02:26 +0000 (21:02 -0700)

committer Bdale Garbee <bdale@gag.com>

Tue, 15 Feb 2011 04:02:26 +0000 (21:02 -0700)
author Bdale Garbee <bdale@gag.com>
Tue, 15 Feb 2011 04:02:26 +0000 (21:02 -0700)
committer Bdale Garbee <bdale@gag.com>
Tue, 15 Feb 2011 04:02:26 +0000 (21:02 -0700)
diff --git a/debian/changelog b/debian/changelog

index 2d51106273f035f02866bfbde0da20963b2058a6..e1941573ebb912b19956f1fa5d4c36398265a77a 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+sudo (1.6.9p17-4) UNRELEASED; urgency=low
+
+  * patch from Peter Samuelson <peter@p12n.org> for use-after-free bug 
+    parsing wildcards in sudoers, closes: #613448
+
+ -- Bdale Garbee <bdale@gag.com>  Mon, 14 Feb 2011 21:02:09 -0700
+
  sudo (1.6.9p17-3) stable-security; urgency=high
  
    * Patch from Moritz Muehlenhoff fixing CVE-2010-1646, in which secure path
diff --git a/parse.c b/parse.c

index f22baffa07a47f824ecbc57199723830dac0a5b6..7a64987e179cf27ff1d9f87b42126739a2e2d4f5 100644 (file)
--- a/parse.c
+++ b/parse.c
@@ -316,9 +316,11 @@ command_matches(sudoers_cmnd, sudoers_args)
                 break;
             }
         }
-       globfree(&gl);
-       if (*ap == NULL)
+       if (*ap == NULL) {
+           globfree(&gl);
             return(FALSE);
+       }
+       globfree(&gl);
  
         if (!sudoers_args ||
             (!user_args && sudoers_args && !strcmp("\"\"", sudoers_args)) ||
author	Bdale Garbee <bdale@gag.com>
	Tue, 15 Feb 2011 04:02:26 +0000 (21:02 -0700)
committer	Bdale Garbee <bdale@gag.com>
	Tue, 15 Feb 2011 04:02:26 +0000 (21:02 -0700)
debian/changelog		patch \| blob \| history
parse.c		patch \| blob \| history