sudo/sudo-CVE-2010-1163.patch

Index: sudo-1.7.2p4/find_path.c
===================================================================
--- sudo-1.7.2p4.orig/find_path.c	2010-05-18 17:40:20.000000000 +0200
+++ sudo-1.7.2p4/find_path.c	2010-05-18 17:46:44.000000000 +0200
@@ -126,7 +126,10 @@ find_path(infile, outfile, sbp, path)
      * Check current dir if dot was in the PATH
      */
     if (!result && checkdot) {
-	result = sudo_goodpath(infile, sbp);
+        len = snprintf(command, sizeof(command), "./%s", infile);
+        if (len <= 0 || len >= sizeof(command))
+            errorx(1, "%s: File name too long", infile);
+        result = sudo_goodpath(command, sbp);
 	if (result && def_ignore_dot)
 	    return(NOT_FOUND_DOT);
     }
Updating link to change in openSUSE:Factory/sudo revision 26.0 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=762302b9eca24013cbda733513da20e3 2010-05-25 11:25:42 +00:00			`Index: sudo-1.7.2p4/find_path.c`
			`===================================================================`
			`--- sudo-1.7.2p4.orig/find_path.c 2010-05-18 17:40:20.000000000 +0200`
			`+++ sudo-1.7.2p4/find_path.c 2010-05-18 17:46:44.000000000 +0200`
			`@@ -126,7 +126,10 @@ find_path(infile, outfile, sbp, path)`
			`* Check current dir if dot was in the PATH`
			`*/`
			`if (!result && checkdot) {`
			`- result = sudo_goodpath(infile, sbp);`
			`+ len = snprintf(command, sizeof(command), "./%s", infile);`
			`+ if (len <= 0 \|\| len >= sizeof(command))`
			`+ errorx(1, "%s: File name too long", infile);`
			`+ result = sudo_goodpath(command, sbp);`
			`if (result && def_ignore_dot)`
			`return(NOT_FOUND_DOT);`
			`}`