oss-sec mailing list archives
Re: CVE request: sudo TZ issue
From: Florian Weimer <fweimer () redhat com>
Date: Tue, 10 Feb 2015 13:17:59 +0100
On 02/09/2015 10:42 PM, Todd C. Miller wrote:
Beginning with sudo 1.8.12, TZ is only passed through by default if it is considered "safe". The TZ variable is now considered "unsafe" if any of the following are true: o It consists of a fully-qualified path name that does not match the location of the zoneinfo directory. o It contains a ".." path element. o It contains white space or non-printable characters. o It is longer than the value of PATH_MAX.
You also need to ignore a leading “:” for the absolute path name check, to match glibc behavior (and potentially others). The code in sudo 1.8.12 handles this case correctly, but it's not clear from the description above. -- Florian Weimer / Red Hat Product Security
Current thread:
- CVE request: sudo TZ issue Todd C. Miller (Feb 09)
- <Possible follow-ups>
- Re: CVE request: sudo TZ issue Florian Weimer (Feb 10)
- Re: CVE request: sudo TZ issue Todd C. Miller (Feb 10)
- Re: CVE request: sudo TZ issue cve-assign (Feb 10)
- Re: Re: CVE request: sudo TZ issue Florian Weimer (Feb 11)
- Re: CVE request: sudo TZ issue cve-assign (Feb 12)
- Re: Re: CVE request: sudo TZ issue Todd C. Miller (Feb 11)
- Re: Re: CVE request: sudo TZ issue Rich Felker (Feb 12)
- Re: Re: CVE request: sudo TZ issue Simon McVittie (Feb 13)
- Re: Re: CVE request: sudo TZ issue Todd C. Miller (Feb 13)