head	1.1;
access;
symbols
	OPENPKG_2_STABLE_MP:1.1
	OPENPKG_E1_MP_HEAD:1.1
	OPENPKG_E1_MP:1.1
	OPENPKG_E1_MP_2_STABLE:1.1
	OPENPKG_E1_FP:1.1
	OPENPKG_2_STABLE_20061018:1.1
	OPENPKG_2_STABLE:1.1.0.12
	OPENPKG_2_STABLE_BP:1.1
	OPENPKG_2_5_SOLID:1.1.0.10
	OPENPKG_2_5_SOLID_BP:1.1
	OPENPKG_2_4_RELEASE:1.1.8.1
	OPENPKG_2_4_SOLID:1.1.0.8
	OPENPKG_2_4_SOLID_BP:1.1
	OPENPKG_2_3_RELEASE:1.1
	OPENPKG_2_3_SOLID:1.1.0.6
	OPENPKG_2_3_SOLID_BP:1.1
	OPENPKG_2_2_SOLID:1.1.0.4
	OPENPKG_2_1_SOLID:1.1.0.2;
locks; strict;
comment	@# @;


1.1
date	2005.01.14.15.42.22;	author ms;	state dead;
branches
	1.1.2.1
	1.1.4.1
	1.1.6.1
	1.1.8.1
	1.1.10.1;
next	;

1.1.2.1
date	2005.01.14.15.42.22;	author ms;	state Exp;
branches;
next	;

1.1.4.1
date	2005.01.14.15.42.27;	author ms;	state Exp;
branches;
next	;

1.1.6.1
date	2005.06.23.13.32.23;	author rse;	state Exp;
branches;
next	1.1.6.2;

1.1.6.2
date	2006.02.18.09.28.20;	author rse;	state Exp;
branches;
next	;
commitid	bPZTtvFVxq1GW2mr;

1.1.8.1
date	2005.06.23.13.27.08;	author rse;	state Exp;
branches;
next	1.1.8.2;

1.1.8.2
date	2006.02.18.09.27.06;	author rse;	state Exp;
branches;
next	;
commitid	yx8Cstk4dekfW2mr;

1.1.10.1
date	2006.02.18.09.25.35;	author rse;	state Exp;
branches;
next	;
commitid	QoMXPp5Ew9kJV2mr;


desc
@@


1.1
log
@file sudo.patch was initially added on branch OPENPKG_2_1_SOLID.
@
text
@@


1.1.10.1
log
@Security Fix (CAN-2005-2959)
@
text
@a0 18
Security Fix (CAN-2005-2959)

Index: env.c
--- env.c.orig	2005-02-06 16:37:01 +0100
+++ env.c	2006-02-18 10:21:09 +0100
@@@@ -124,6 +124,12 @@@@
     "TERMCAP",			/* XXX - only if it starts with '/' */
     "ENV",
     "BASH_ENV",
+    "PS4",
+    "SHELLOPTS",
+    "JAVA_TOOL_OPTIONS",
+    "PERLLIB",
+    "PERL5LIB",
+    "PERL5OPT",
     NULL
 };
 
@


1.1.6.1
log
@Apply security fix: OpenPKG-SA-2005.012-sudo (CAN-2005-1993)
@
text
@a0 70
OpenPKG-SA-2005.012-sudo (CAN-2005-1993)
http://www.sudo.ws/sudo/alerts/path_race.html

Index: ldap.c
--- ldap.c.orig	2004-12-01 04:28:46 +0100
+++ ldap.c	2005-06-23 14:06:03 +0200
@@@@ -278,8 +278,6 @@@@
     /* Match against ALL ? */
     if (!strcasecmp(*p,"ALL")) {
       ret=1;
-      if (safe_cmnd) free (safe_cmnd);
-      safe_cmnd=estrdup(user_cmnd);
       if (ldap_conf.debug>1) printf(" MATCH!\n");
       continue;
     }
Index: parse.yacc
--- parse.yacc.orig	2004-08-11 20:29:10 +0200
+++ parse.yacc	2005-06-23 14:06:03 +0200
@@@@ -676,10 +676,6 @@@@
 			    }
 
 			    $$ = TRUE;
-
-			    if (safe_cmnd)
-				free(safe_cmnd);
-			    safe_cmnd = estrdup(user_cmnd);
 			}
 		|	ALIAS {
 			    aliasinfo *aip;
Index: sudo.c
--- sudo.c.orig	2005-03-25 02:56:41 +0100
+++ sudo.c	2005-06-23 14:06:03 +0200
@@@@ -275,6 +275,8 @@@@
 	/* Validate the user but don't search for pseudo-commands. */
 	validated = sudoers_lookup(pwflag);
     }
+    if (safe_cmnd == NULL)
+	safe_cmnd = user_cmnd;
 
     /*
      * If we are using set_perms_posix() and the stay_setuid flag was not set,
@@@@ -391,14 +393,6 @@@@
 	    exit(0);
 	}
 
-	/* This *must* have been set if we got a match but... */
-	if (safe_cmnd == NULL) {
-	    log_error(MSG_ONLY,
-		"internal error, safe_cmnd never got set for %s; %s",
-		user_cmnd,
-		"please report this error at http://courtesan.com/sudo/bugs/");
-	}
-
 	/* Override user's umask if configured to do so. */
 	if (def_umask != 0777)
 	    (void) umask(def_umask);
Index: sudo.tab.c
--- sudo.tab.c.orig	2004-08-11 20:29:36 +0200
+++ sudo.tab.c	2005-06-23 14:06:03 +0200
@@@@ -1740,10 +1740,6 @@@@
 			    }
 
 			    yyval.BOOLEAN = TRUE;
-
-			    if (safe_cmnd)
-				free(safe_cmnd);
-			    safe_cmnd = estrdup(user_cmnd);
 			}
 break;
 case 61:
@


1.1.6.2
log
@Security Fix (CAN-2005-2959)
@
text
@a70 21

-----------------------------------------------------------------------------

Security Fix (CAN-2005-2959)

Index: env.c
--- env.c.orig	2005-02-06 16:37:01 +0100
+++ env.c	2006-02-18 10:21:09 +0100
@@@@ -124,6 +124,12 @@@@
     "TERMCAP",			/* XXX - only if it starts with '/' */
     "ENV",
     "BASH_ENV",
+    "PS4",
+    "SHELLOPTS",
+    "JAVA_TOOL_OPTIONS",
+    "PERLLIB",
+    "PERL5LIB",
+    "PERL5OPT",
     NULL
 };
 
@


1.1.8.1
log
@Apply security fix: OpenPKG-SA-2005.012-sudo (CAN-2005-1993)
@
text
@a0 70
OpenPKG-SA-2005.012-sudo (CAN-2005-1993)
http://www.sudo.ws/sudo/alerts/path_race.html

Index: ldap.c
--- ldap.c.orig	2004-12-01 04:28:46 +0100
+++ ldap.c	2005-06-23 14:06:03 +0200
@@@@ -278,8 +278,6 @@@@
     /* Match against ALL ? */
     if (!strcasecmp(*p,"ALL")) {
       ret=1;
-      if (safe_cmnd) free (safe_cmnd);
-      safe_cmnd=estrdup(user_cmnd);
       if (ldap_conf.debug>1) printf(" MATCH!\n");
       continue;
     }
Index: parse.yacc
--- parse.yacc.orig	2004-08-11 20:29:10 +0200
+++ parse.yacc	2005-06-23 14:06:03 +0200
@@@@ -676,10 +676,6 @@@@
 			    }
 
 			    $$ = TRUE;
-
-			    if (safe_cmnd)
-				free(safe_cmnd);
-			    safe_cmnd = estrdup(user_cmnd);
 			}
 		|	ALIAS {
 			    aliasinfo *aip;
Index: sudo.c
--- sudo.c.orig	2005-03-25 02:56:41 +0100
+++ sudo.c	2005-06-23 14:06:03 +0200
@@@@ -275,6 +275,8 @@@@
 	/* Validate the user but don't search for pseudo-commands. */
 	validated = sudoers_lookup(pwflag);
     }
+    if (safe_cmnd == NULL)
+	safe_cmnd = user_cmnd;
 
     /*
      * If we are using set_perms_posix() and the stay_setuid flag was not set,
@@@@ -391,14 +393,6 @@@@
 	    exit(0);
 	}
 
-	/* This *must* have been set if we got a match but... */
-	if (safe_cmnd == NULL) {
-	    log_error(MSG_ONLY,
-		"internal error, safe_cmnd never got set for %s; %s",
-		user_cmnd,
-		"please report this error at http://courtesan.com/sudo/bugs/");
-	}
-
 	/* Override user's umask if configured to do so. */
 	if (def_umask != 0777)
 	    (void) umask(def_umask);
Index: sudo.tab.c
--- sudo.tab.c.orig	2004-08-11 20:29:36 +0200
+++ sudo.tab.c	2005-06-23 14:06:03 +0200
@@@@ -1740,10 +1740,6 @@@@
 			    }
 
 			    yyval.BOOLEAN = TRUE;
-
-			    if (safe_cmnd)
-				free(safe_cmnd);
-			    safe_cmnd = estrdup(user_cmnd);
 			}
 break;
 case 61:
@


1.1.8.2
log
@Security Fix (CAN-2005-2959)
@
text
@a70 21

-----------------------------------------------------------------------------

Security Fix (CAN-2005-2959)

Index: env.c
--- env.c.orig	2005-02-06 16:37:01 +0100
+++ env.c	2006-02-18 10:21:09 +0100
@@@@ -124,6 +124,12 @@@@
     "TERMCAP",			/* XXX - only if it starts with '/' */
     "ENV",
     "BASH_ENV",
+    "PS4",
+    "SHELLOPTS",
+    "JAVA_TOOL_OPTIONS",
+    "PERLLIB",
+    "PERL5LIB",
+    "PERL5OPT",
     NULL
 };
 
@


1.1.4.1
log
@integrate bash variable cleansing patch to solve SA-2005.002 (CAN-2004-1051)
@
text
@a0 39
Sudo security advisory OpenPKG-SA-2005.002 and CAN-2004-1051, with
patch taken from ftp://netmirror.org/ftp.sudo.ws/sudo-1.6.8p2.patch.gz
----------------------------------------------------------------------
Summary: All vendor sudo versions prior to 1.6.8p2 fail to sufficiently
strip potentially dangerous bash variables from the environment passed to
the program to be executed. If this vulnerability is properly exploited,
the attacker could execute arbitrary code with superuser privilege.

Index: env.c
diff env.c.orig env.c
--- env.c.orig	Wed Sep  8 09:57:49 2004
+++ env.c	Thu Nov 11 14:27:25 2004
@@@@ -323,6 +323,13 @@@@
 	/* Pull in vars we want to keep from the old environment. */
 	for (ep = envp; *ep; ep++) {
 	    keepit = 0;
+
+	    /* Skip variables with values beginning with () (bash functions) */
+	    if ((cp = strchr(*ep, '=')) != NULL) {
+		if (strncmp(cp, "=() ", 3) == 0)
+		    continue;
+	    }
+
 	    for (cur = def_env_keep; cur; cur = cur->next) {
 		len = strlen(cur->value);
 		/* Deal with '*' wildcard */
@@@@ -404,6 +411,12 @@@@
 	 */
 	for (ep = envp; *ep; ep++) {
 	    okvar = 1;
+
+	    /* Skip variables with values beginning with () (bash functions) */
+	    if ((cp = strchr(*ep, '=')) != NULL) {
+		if (strncmp(cp, "=() ", 3) == 0)
+		    continue;
+	    }
 
 	    /* Skip anything listed in env_delete. */
 	    for (cur = def_env_delete; cur && okvar; cur = cur->next) {
@


1.1.2.1
log
@integrate bash variable cleansing patch to solve SA-2005.002 (CAN-2004-1051)
@
text
@a0 39
Sudo security advisory OpenPKG-SA-2005.002 and CAN-2004-1051, with
patch taken from ftp://netmirror.org/ftp.sudo.ws/sudo-1.6.8p2.patch.gz
----------------------------------------------------------------------
Summary: All vendor sudo versions prior to 1.6.8p2 fail to sufficiently
strip potentially dangerous bash variables from the environment passed to
the program to be executed. If this vulnerability is properly exploited,
the attacker could execute arbitrary code with superuser privilege.

Index: env.c
diff env.c.orig env.c
--- env.c.orig	2003-05-06 06:32:22 +0200
+++ env.c	2005-01-14 16:21:21 +0100
@@@@ -296,6 +296,13 @@@@
 	/* Pull in vars we want to keep from the old environment. */
 	for (ep = envp; *ep; ep++) {
 	    keepit = 0;
+
+	    /* Skip variables with values beginning with () (bash functions) */
+	    if ((cp = strchr(*ep, '=')) != NULL) {
+		if (strncmp(cp, "=() ", 3) == 0)
+		    continue;
+	    }
+
 	    for (cur = def_list(I_ENV_KEEP); cur; cur = cur->next) {
 		len = strlen(cur->value);
 		/* Deal with '*' wildcard */
@@@@ -370,6 +377,12 @@@@
 	for (ep = envp; *ep; ep++) {
 	    okvar = 1;
 
+	    /* Skip variables with values beginning with () (bash functions) */
+	    if ((cp = strchr(*ep, '=')) != NULL) {
+		if (strncmp(cp, "=() ", 3) == 0)
+		    continue;
+	    }
+
 	    /* Skip anything listed in env_delete. */
 	    for (cur = def_list(I_ENV_DELETE); cur && okvar; cur = cur->next) {
 		len = strlen(cur->value);
@