oss-sec mailing list archives

Re: CVE request: sudo TZ issue

From: Florian Weimer <fweimer () redhat com>
Date: Tue, 10 Feb 2015 13:17:59 +0100

On 02/09/2015 10:42 PM, Todd C. Miller wrote:

Beginning with sudo 1.8.12, TZ is only passed through by default
if it is considered "safe".  The TZ variable is now considered
"unsafe" if any of the following are true:

    o   It consists of a fully-qualified path name that
        does not match the location of the zoneinfo directory.

    o   It contains a ".." path element.

    o   It contains white space or non-printable characters.

    o   It is longer than the value of PATH_MAX.


You also need to ignore a leading “:” for the absolute path name check,
to match glibc behavior (and potentially others).

The code in sudo 1.8.12 handles this case correctly, but it's not clear
from the description above.

-- 
Florian Weimer / Red Hat Product Security

Current thread:

CVE request: sudo TZ issue Todd C. Miller (Feb 09)
- <Possible follow-ups>
- Re: CVE request: sudo TZ issue Florian Weimer (Feb 10)
  - Re: CVE request: sudo TZ issue Todd C. Miller (Feb 10)
  - Re: CVE request: sudo TZ issue cve-assign (Feb 10)
    - Re: Re: CVE request: sudo TZ issue Florian Weimer (Feb 11)
    - Re: CVE request: sudo TZ issue cve-assign (Feb 12)
    - Re: Re: CVE request: sudo TZ issue Todd C. Miller (Feb 11)
- Re: Re: CVE request: sudo TZ issue Rich Felker (Feb 12)
  - Re: Re: CVE request: sudo TZ issue Simon McVittie (Feb 13)
  - Re: Re: CVE request: sudo TZ issue Todd C. Miller (Feb 13)