Package: sudo
Version: 1.6.8p7-1.3
Tags: +patch
Followup-For: Bug #354431
I've identified the problem: env_rebuild() in env.c didn't
properly record the fact that it had already copied the PATH
and then scribbled the _PATH_DEFPATH over it. _PATH_DEFPATH
is /usr/bin:/bin.
This insertion was done without duplicate check, and
the subsequent SECURE_PATH overrule applied only to the first listed
variable.
The problem applies to 1.6.8p12.
A patch is attached, which works for both versions (with a few lines
offset in p12).
Please note that the patch cleans up only the totally broken duplicate
path issue, and does not affect line 493 in env.c which still
unconditionally overrides any PATH with SECURE_PATH. I still think
that this is a bug as it conflicts with the meaning of env_keep, but
unsure as to how to fix this more fundamental but minor issue cleanly.
regards
az
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (980, 'testing'), (970, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.14
Locale: LANG=C, LC_CTYPE=de_AT (charmap=ISO-8859-1)
Versions of packages sudo depends on:
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libpam-modules 0.76-22 Pluggable Authentication Modules f
ii libpam0g 0.76-22 Pluggable Authentication Modules l
-- no debconf information
--- env.c.old 2006-02-26 18:24:58.000000000 +1000
+++ env.c 2006-02-26 18:30:10.000000000 +1000
@@ -386,6 +386,10 @@
if (strncmp(*ep, "USER=", 5) == 0)
SET(didvar, DID_USER);
break;
+ case 'P':
+ if (strncmp("PATH=", *ep, 5) == 0)
+ SET(didvar,DID_PATH);
+ break;
}
insert_env(*ep, 0);
} else {
