From: Bdale Garbee <bdale@gag.com>
Date: Thu, 10 Jun 2010 23:31:09 +0000 (-0600)
Subject: fix for CVE-2010-1646
X-Git-Tag: debian/1.6.9p17-3
X-Git-Url: https://git.gag.com/?a=commitdiff_plain;h=9ee6fd12d63ac4d933accf1f86375b9da71a28d7;p=debian%2Fsudo

fix for CVE-2010-1646
---

diff --git a/debian/changelog b/debian/changelog
index f1f7375..2d51106 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+sudo (1.6.9p17-3) stable-security; urgency=high
+
+  * Patch from Moritz Muehlenhoff fixing CVE-2010-1646, in which secure path
+    could be circumvented, closes: #585394
+
+ -- Bdale Garbee <bdale@gag.com>  Thu, 10 Jun 2010 17:30:33 -0600
+
 sudo (1.6.9p17-2+lenny1) stable-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff --git a/env.c b/env.c
index d04186c..9b3f15d 100644
--- a/env.c
+++ b/env.c
@@ -275,6 +275,7 @@ insert_env(str, e, dupcheck)
 {
     char **nep;
     size_t varlen;
+    int found = FALSE;
 
     /* Make sure there is room for the new entry plus a NULL. */
     if (e->env_len + 2 > e->env_size) {
@@ -283,20 +284,34 @@ insert_env(str, e, dupcheck)
     }
 
     if (dupcheck) {
-	    varlen = (strchr(str, '=') - str) + 1;
+	varlen = (strchr(str, '=') - str) + 1;
 
-	    for (nep = e->envp; *nep; nep++) {
+	for (nep = e->envp; !found && *nep != NULL; nep++) {
+	    if (strncmp(str, *nep, varlen) == 0) {
+		*nep = str;
+		found = TRUE;
+	    }
+	}
+	/* Prune out duplicate variables. */
+	if (found) {
+	    while (*nep != NULL) {
 		if (strncmp(str, *nep, varlen) == 0) {
-		    *nep = str;
-		    return;
+		    memmove(nep, nep + 1,
+			(e->env_len - (nep - e->envp)) * sizeof(char *));
+		    e->env_len--;
+		} else {
+		    nep++;
 		}
 	    }
-    } else
-	nep = e->envp + e->env_len;
+	}
+    }
 
-    e->env_len++;
-    *nep++ = str;
-    *nep = NULL;
+    if (!found) {
+	nep = e->envp + e->env_len;
+	e->env_len++;
+	*nep++ = str;
+	*nep = NULL;
+    }
 }
 
 /*