blob: d021873b708aa03bca323c1dca30a3cbb2908d35 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
Backport of:
From 12648b4e0a8cf486480442efd52f0e0b6cab6e8b Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Mon, 13 Mar 2023 08:04:32 -0600
Subject: [PATCH] Add missing " ; " separator between environment variables and
command. This is a regression introduced in sudo 1.9.13. GitHub issue #254.
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/sudo/tree/debian/patches/CVE-2023-2848x-2.patch?h=ubuntu/focal-security
Upstream commit https://github.com/sudo-project/sudo/commit/12648b4e0a8cf486480442efd52f0e0b6cab6e8b]
CVE: CVE-2023-28486 CVE-2023-28487
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
lib/eventlog/eventlog.c | 1 +
1 file changed, 1 insertion(+)
--- a/plugins/sudoers/logging.c
+++ b/plugins/sudoers/logging.c
@@ -1018,6 +1018,7 @@ new_logline(const char *message, const c
sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, " %s",
sudo_user.env_vars[i]);
}
+ sudo_lbuf_append(&lbuf, " ; ");
}
if (user_cmnd != NULL) {
sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL|LBUF_ESC_BLANK,
|
