Alexandra N. Kossovsky
2010-May-05 09:55 UTC
[Secure-testing-team] Bug#580342: sudo: Memory access after free()
Package: sudo-ldap
Version: 1.6.9p17-2+lenny1
Severity: grave
Tags: security patch
Justification: user security hole
Hello.
Following patch fixes memory access after free():
--- parse.c 2010-05-05 13:43:20.000000000 +0400
+++ parse.c.fixed 2010-05-05 13:42:45.000000000 +0400
@@ -316,9 +316,11 @@
break;
}
}
- globfree(&gl);
- if (*ap == NULL)
+ if (*ap == NULL) {
+ globfree(&gl);
return(FALSE);
+ }
+ globfree(&gl);
if (!sudoers_args ||
(!user_args && sudoers_args &&
!strcmp("\"\"", sudoers_args)) ||
Since ap points to the memory inside gl_pathv, it is not correct to
check ap value when gl is freed. sudo is a security sensitive
application, and there may be various effects of such access.
I''ve created this patch after exploring the problem similar to Debian
bugs 556562 578601. The patch fixes my problem.
Thank you for your work for Debian,
Alexandra.
-- System Information:
Debian Release: 5.0.4
APT prefers stable
APT policy: (500, ''stable'')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages sudo-ldap depends on:
ii libc6 2.7-18lenny2 GNU C Library: Shared libraries
ii libldap-2.4-2 2.4.11-1+lenny1 OpenLDAP libraries
ii libpam-modules 1.0.1-5+lenny1 Pluggable Authentication Modules f
ii libpam0g 1.0.1-5+lenny1 Pluggable Authentication Modules l
sudo-ldap recommends no packages.
sudo-ldap suggests no packages.
-- debconf-show failed
--
Alexandra N. Kossovsky
OKTET Labs (http://www.oktetlabs.ru/)
Phones: +7(921)956-42-86(mobile) +7(812)783-21-91(office)
e-mail: sasha at oktetlabs.ru