> As this seems to only affect that one OS, I'm not sure I would call > it a bug in sudo. When this was reported for 1.5.2 I took a look > but couldn't find any way to reproduce it (and I don't have access > to the OS in question). I've been able to reproduce the exploit using cu-sudo 1.5.3 under DEC UNIX 4.0B and FreeBSD 2.2.5. After looking at the code the bug can be exploited on any platform. Here is a patch to fix the problem, assuming your operating system of choice supports realpath(3). *BSD, Linux, Solaris, SunOS, DEC UNIX, AIX, and DG/UX should have no problem with this patch. diff -ur sudo.v1.5.3.orig/find_path.c sudo.v1.5.3/find_path.c --- sudo.v1.5.3.orig/find_path.c Wed Nov 13 18:37:22 1996 +++ sudo.v1.5.3/find_path.c Mon Jan 12 17:55:43 1998 @@ -118,7 +118,11 @@ * the error is "not found" -- this way we get the correct error. */ if (strchr(file, '/')) { - (void) strcpy(command, file); + if (realpath(file, command) == NULL) { + (void) fprintf(stderr, "%s: %s", Argv[0], file); + perror(""); + exit(1); + } if (sudo_goodpath(command)) { return(command); } else { > > - todd > Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBERat_private Government of BC Internet: cschuberat_private Cy.Schubertat_private "Quit spooling around, JES do it."
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:38:45 PDT