Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 10 Feb 2015 13:17:59 +0100
From: Florian Weimer <fweimer@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: sudo TZ issue

On 02/09/2015 10:42 PM, Todd C. Miller wrote:

> Beginning with sudo 1.8.12, TZ is only passed through by default
> if it is considered "safe".  The TZ variable is now considered
> "unsafe" if any of the following are true:
> 
>     o   It consists of a fully-qualified path name that
>         does not match the location of the zoneinfo directory.
> 
>     o   It contains a ".." path element.
> 
>     o   It contains white space or non-printable characters.
> 
>     o   It is longer than the value of PATH_MAX.

You also need to ignore a leading “:” for the absolute path name check,
to match glibc behavior (and potentially others).

The code in sudo 1.8.12 handles this case correctly, but it's not clear
from the description above.

-- 
Florian Weimer / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ