From: Bdale Garbee <bdale@gag.com>
Date: Thu, 10 Jun 2010 23:27:30 +0000 (-0600)
Subject: pull in stable security update 1.6.9p17-2+lenny1
X-Git-Tag: debian/1.6.9p17-2+lenny1
X-Git-Url: https://git.gag.com/?a=commitdiff_plain;h=daccc4f36c8a6bead9e3641f0a313698d309c957;p=debian%2Fsudo

pull in stable security update 1.6.9p17-2+lenny1
---

diff --git a/debian/changelog b/debian/changelog
index e0be9d4..f1f7375 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+sudo (1.6.9p17-2+lenny1) stable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fixed CVE-2010-0426: verify path for the 'sudoedit' pseudo-command
+    (Closes: #570737)
+  * Fixed CVE-2010-0427: When changing the runas user, reset any aux runas
+    groups we have cached.
+
+ -- Giuseppe Iuculano <iuculano@debian.org>  Tue, 02 Mar 2010 15:22:43 +0100
+
 sudo (1.6.9p17-2) unstable; urgency=high
 
   * patch from upstream to fix privilege escalation with certain 
diff --git a/parse.c b/parse.c
index b1c7cd9..f22baff 100644
--- a/parse.c
+++ b/parse.c
@@ -259,7 +259,7 @@ command_matches(sudoers_cmnd, sudoers_args)
     DIR *dirp;
 
     /* Check for pseudo-commands */
-    if (strchr(user_cmnd, '/') == NULL) {
+    if (sudoers_cmnd[0] != '/') {
 	/*
 	 * Return true if both sudoers_cmnd and user_cmnd are "sudoedit" AND
 	 *  a) there are no args in sudoers OR
diff --git a/set_perms.c b/set_perms.c
index 77c68e9..5eafe5b 100644
--- a/set_perms.c
+++ b/set_perms.c
@@ -376,11 +376,12 @@ set_perms(perm)
 #endif /* HAVE_SETRESUID */
 
 #ifdef HAVE_INITGROUPS
+static int runas_ngroups = -1;
+static GETGROUPS_T *runas_groups;
+
 static void
 runas_setgroups()
 {
-    static int ngroups = -1;
-    static GETGROUPS_T *groups;
     struct passwd *pw;
 
     if (def_preserve_groups)
@@ -389,21 +390,28 @@ runas_setgroups()
     /*
      * Use stashed copy of runas groups if available, else initgroups and stash.
      */
-    if (ngroups == -1) {
+    if (runas_ngroups == -1) {
 	pw = runas_pw ? runas_pw : sudo_user.pw;
 	if (initgroups(pw->pw_name, pw->pw_gid) < 0)
 	    log_error(USE_ERRNO|MSG_ONLY, "can't set runas group vector");
-	if ((ngroups = getgroups(0, NULL)) < 0)
+	if ((runas_ngroups = getgroups(0, NULL)) < 0)
 	    log_error(USE_ERRNO|MSG_ONLY, "can't get runas ngroups");
-	groups = emalloc2(ngroups, sizeof(GETGROUPS_T));
-	if (getgroups(ngroups, groups) < 0)
+	runas_groups = emalloc2(runas_ngroups, sizeof(GETGROUPS_T));
+	if (getgroups(runas_ngroups, runas_groups) < 0)
 	    log_error(USE_ERRNO|MSG_ONLY, "can't get runas group vector");
     } else {
-	if (setgroups(ngroups, groups) < 0)
+	if (setgroups(runas_ngroups, runas_groups) < 0)
 	    log_error(USE_ERRNO|MSG_ONLY, "can't set runas group vector");
     }
 }
 
+void
+runas_resetgroups()
+{
+    runas_ngroups = -1;
+    efree(runas_groups);
+}
+
 static void
 restore_groups()
 {
diff --git a/sudo.c b/sudo.c
index e630059..6eb5930 100644
--- a/sudo.c
+++ b/sudo.c
@@ -131,6 +131,7 @@ extern char **insert_env_vars		__P((char **, struct list_member *));
 extern struct passwd *sudo_getpwnam	__P((const char *));
 extern struct passwd *sudo_getpwuid	__P((uid_t));
 extern struct passwd *sudo_pwdup	__P((const struct passwd *));
+extern void runas_resetgroups		__P((void));
 
 /*
  * Globals
@@ -1240,6 +1241,7 @@ set_runaspw(user)
 	if (runas_pw == NULL)
 	    log_error(NO_MAIL|MSG_ONLY, "no passwd entry for %s!", user);
     }
+    runas_resetgroups();
     return(TRUE);
 }