[5944] in bugtraq
Re: hole in sudo for MP-RAS.
daemon@ATHENA.MIT.EDU (Todd C. Miller)
Mon Jan 12 23:46:21 1998
Date: Mon, 12 Jan 1998 21:02:51 -0700
Reply-To: "Todd C. Miller" <Todd.Miller@COURTESAN.COM>
From: "Todd C. Miller" <Todd.Miller@COURTESAN.COM>
X-To: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Mon, 12 Jan 1998 18:54:13 PST."
<199801130254.SAA13611@cwsys.cwsent.com>
The real problem is that there is an assumption in the path
matching code that things will start with '/' but they can
also, of course, start with '.'. Here's the "official" patch
if you will...
- todd
--- parse.c 1996/11/14 02:37:16 1.76
+++ parse.c 1998/01/13 03:59:35
@@ -218,7 +218,7 @@
static char *c;
/* don't bother with pseudo commands like "validate" */
- if (*cmnd != '/')
+ if (*cmnd != '/' && *cmnd != '.')
return(FALSE);
/* only need to stat cmnd once since it never changes */
