+sudo (1.6.9p17-3) stable-security; urgency=high
+
+ * Patch from Moritz Muehlenhoff fixing CVE-2010-1646, in which secure path
+ could be circumvented, closes: #585394
+
+ -- Bdale Garbee <bdale@gag.com> Thu, 10 Jun 2010 17:30:33 -0600
+
sudo (1.6.9p17-2+lenny1) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
{
char **nep;
size_t varlen;
+ int found = FALSE;
/* Make sure there is room for the new entry plus a NULL. */
if (e->env_len + 2 > e->env_size) {
}
if (dupcheck) {
- varlen = (strchr(str, '=') - str) + 1;
+ varlen = (strchr(str, '=') - str) + 1;
- for (nep = e->envp; *nep; nep++) {
+ for (nep = e->envp; !found && *nep != NULL; nep++) {
+ if (strncmp(str, *nep, varlen) == 0) {
+ *nep = str;
+ found = TRUE;
+ }
+ }
+ /* Prune out duplicate variables. */
+ if (found) {
+ while (*nep != NULL) {
if (strncmp(str, *nep, varlen) == 0) {
- *nep = str;
- return;
+ memmove(nep, nep + 1,
+ (e->env_len - (nep - e->envp)) * sizeof(char *));
+ e->env_len--;
+ } else {
+ nep++;
}
}
- } else
- nep = e->envp + e->env_len;
+ }
+ }
- e->env_len++;
- *nep++ = str;
- *nep = NULL;
+ if (!found) {
+ nep = e->envp + e->env_len;
+ e->env_len++;
+ *nep++ = str;
+ *nep = NULL;
+ }
}
/*
projects / debian / sudo / commitdiff