pull in stable security update 1.6.9p17-2+lenny1

diff --git a/debian/changelog b/debian/changelog
index e0be9d4751f722180720f3e2dab7a90658120404..f1f7375141d427df1a1bc16ea0c66d5bdc807f97 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+sudo (1.6.9p17-2+lenny1) stable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fixed CVE-2010-0426: verify path for the 'sudoedit' pseudo-command
+    (Closes: #570737)
+  * Fixed CVE-2010-0427: When changing the runas user, reset any aux runas
+    groups we have cached.
+
+ -- Giuseppe Iuculano <iuculano@debian.org>  Tue, 02 Mar 2010 15:22:43 +0100
+
 sudo (1.6.9p17-2) unstable; urgency=high
 
   * patch from upstream to fix privilege escalation with certain 

diff --git a/parse.c b/parse.c
index b1c7cd9258f9fdcc963b29f79a6fdb0503c34893..f22baffa07a47f824ecbc57199723830dac0a5b6 100644 (file)
--- a/parse.c
+++ b/parse.c
@@ -259,7 +259,7 @@ command_matches(sudoers_cmnd, sudoers_args)
     DIR *dirp;
 
     /* Check for pseudo-commands */
-    if (strchr(user_cmnd, '/') == NULL) {
+    if (sudoers_cmnd[0] != '/') {
        /*
         * Return true if both sudoers_cmnd and user_cmnd are "sudoedit" AND
         *  a) there are no args in sudoers OR

diff --git a/set_perms.c b/set_perms.c
index 77c68e986af22a499c258e19d5d695ae27905568..5eafe5b1234f3c712a65f1da049b6aca18638b57 100644 (file)
--- a/set_perms.c
+++ b/set_perms.c
@@ -376,11 +376,12 @@ set_perms(perm)
 #endif /* HAVE_SETRESUID */
 
 #ifdef HAVE_INITGROUPS
+static int runas_ngroups = -1;
+static GETGROUPS_T *runas_groups;
+
 static void
 runas_setgroups()
 {
-    static int ngroups = -1;
-    static GETGROUPS_T *groups;
     struct passwd *pw;
 
     if (def_preserve_groups)
@@ -389,21 +390,28 @@ runas_setgroups()
     /*
      * Use stashed copy of runas groups if available, else initgroups and stash.
      */
-    if (ngroups == -1) {
+    if (runas_ngroups == -1) {
        pw = runas_pw ? runas_pw : sudo_user.pw;
        if (initgroups(pw->pw_name, pw->pw_gid) < 0)
            log_error(USE_ERRNO|MSG_ONLY, "can't set runas group vector");
-       if ((ngroups = getgroups(0, NULL)) < 0)
+       if ((runas_ngroups = getgroups(0, NULL)) < 0)
            log_error(USE_ERRNO|MSG_ONLY, "can't get runas ngroups");
-       groups = emalloc2(ngroups, sizeof(GETGROUPS_T));
-       if (getgroups(ngroups, groups) < 0)
+       runas_groups = emalloc2(runas_ngroups, sizeof(GETGROUPS_T));
+       if (getgroups(runas_ngroups, runas_groups) < 0)
            log_error(USE_ERRNO|MSG_ONLY, "can't get runas group vector");
     } else {
-       if (setgroups(ngroups, groups) < 0)
+       if (setgroups(runas_ngroups, runas_groups) < 0)
            log_error(USE_ERRNO|MSG_ONLY, "can't set runas group vector");
     }
 }
 
+void
+runas_resetgroups()
+{
+    runas_ngroups = -1;
+    efree(runas_groups);
+}
+
 static void
 restore_groups()
 {

diff --git a/sudo.c b/sudo.c
index e630059d269414ef6536e3408c277c910129918b..6eb5930b165cd1c03c6ced4d304ba724fdb2917d 100644 (file)
--- a/sudo.c
+++ b/sudo.c
@@ -131,6 +131,7 @@ extern char **insert_env_vars               __P((char **, struct list_member *));
 extern struct passwd *sudo_getpwnam    __P((const char *));
 extern struct passwd *sudo_getpwuid    __P((uid_t));
 extern struct passwd *sudo_pwdup       __P((const struct passwd *));
+extern void runas_resetgroups          __P((void));
 
 /*
  * Globals
@@ -1240,6 +1241,7 @@ set_runaspw(user)
        if (runas_pw == NULL)
            log_error(NO_MAIL|MSG_ONLY, "no passwd entry for %s!", user);
     }
+    runas_resetgroups();
     return(TRUE);
 }