Date: Tue, 10 Feb 2015 13:17:59 +0100 From: Florian Weimer <fweimer@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE request: sudo TZ issue On 02/09/2015 10:42 PM, Todd C. Miller wrote: > Beginning with sudo 1.8.12, TZ is only passed through by default > if it is considered "safe". The TZ variable is now considered > "unsafe" if any of the following are true: > > o It consists of a fully-qualified path name that > does not match the location of the zoneinfo directory. > > o It contains a ".." path element. > > o It contains white space or non-printable characters. > > o It is longer than the value of PATH_MAX. You also need to ignore a leading “:” for the absolute path name check, to match glibc behavior (and potentially others). The code in sudo 1.8.12 handles this case correctly, but it's not clear from the description above. -- Florian Weimer / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ