bnc#594738

OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=11
2010-06-02 12:31:24 +00:00 · 2010-06-02 12:31:24 +00:00 · aeeae9962d
commit aeeae9962d
parent ebe3884aa7
3 changed files with 94 additions and 0 deletions
--- a/sudo-CVE-2010-1646.patch
+++ b/sudo-CVE-2010-1646.patch
@ -0,0 +1,87 @@
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@courtesan.com>
+# Date 1275055525 14400
+# Node ID a09c6812eaecd6a18f424e66419e6acaf80befc9
+# Parent  c17c54dc03b35472377a73544ad91384a81303f8
+Handle duplicate variables in the environment.  For unsetenv(),
+keep looking even after remove the first instance.  For sudo_putenv(),
+check for and remove dupes after we replace an existing value.
+
+Index: sudo-1.7.2p4/env.c
+===================================================================
+--- sudo-1.7.2p4.orig/env.c	2010-06-02 12:20:58.000000000 +0200
+++ sudo-1.7.2p4/env.c	2010-06-02 12:23:42.000000000 +0200
+@@ -321,7 +321,7 @@ int
+ unsetenv(var)
+     const char *var;
+ {
+-    char **ep;
+    char **ep = env.envp;
+     size_t len;
+ 
+     if (strchr(var, '=') != NULL) {
+@@ -359,13 +359,15 @@ unsetenv(var)
+     }
+ 
+     len = strlen(var);
+-    for (ep = env.envp; *ep; ep++) {
+    while (*ep != NULL) {
+ 	if (strncmp(var, *ep, len) == 0 && (*ep)[len] == '=') {
+ 	    /* Found it; shift remainder + NULL over by one and update len. */
+ 	    memmove(ep, ep + 1,
+ 		(env.env_len - (ep - env.envp)) * sizeof(char *));
+ 	    env.env_len--;
+-	    break;
+	    /* Keep going, could be multiple instances of the var. */
+	} else {
+	    ep++;
+ 	}
+     }
+ #ifndef UNSETENV_VOID
+@@ -433,6 +435,7 @@ sudo_putenv(str, dupcheck, overwrite)
+ {
+     char **ep;
+     size_t len;
+    int found = FALSE;
+ 
+     /* Make sure there is room for the new entry plus a NULL. */
+     if (env.env_len + 2 > env.env_size) {
+@@ -452,19 +455,33 @@ sudo_putenv(str, dupcheck, overwrite)
+ 
+     if (dupcheck) {
+ 	    len = (strchr(str, '=') - str) + 1;
+-	    for (ep = env.envp; *ep; ep++) {
+	for (ep = env.envp; !found && *ep != NULL; ep++) {
+ 		if (strncmp(str, *ep, len) == 0) {
+ 		    if (overwrite)
+ 			*ep = str;
+-		    return;
+		found = TRUE;
+	    }
+	}
+	/* Prune out duplicate variables. */
+	if (found && overwrite) {
+	    while (*ep != NULL) {
+		if (strncmp(str, *ep, len) == 0) {
+		    memmove(ep, ep + 1,
+			(env.env_len - (ep - env.envp)) * sizeof(char *));
+		    env.env_len--;
+		} else {
+		    ep++;
+		}
+	    }
+ 		}
+ 	    }
+-    } else
+-	ep = env.envp + env.env_len;
+ 
+    if (!found) {
+	ep = env.envp + env.env_len;
+     env.env_len++;
+     *ep++ = str;
+     *ep = NULL;
+    }
+ }
+ 
+ /*
--- a/sudo.changes
+++ b/sudo.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Wed Jun  2 10:32:42 UTC 2010 - puzel@novell.com
+
+- add sudo-CVE-2010-1646.patch (bnc#594738) 
+
 -------------------------------------------------------------------
 Tue May 18 15:52:10 UTC 2010 - puzel@novell.com

--- a/sudo.spec
+++ b/sudo.spec
@ -39,6 +39,7 @@ Patch5:         %{name}-1.7.1-secure_path.diff
 Patch6:         %{name}-1.7.1-env.diff
 Patch7:         %{name}-1.7.1-pam_rhost.diff
 Patch8:         sudo-CVE-2010-1163.patch
+Patch9:         sudo-CVE-2010-1646.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
@ -68,6 +69,7 @@ Authors:
 %patch6
 %patch7
 %patch8 -p1
+%patch9 -p1
 cp %{SOURCE2} .

 %build