Package: sudo / 1.8.10p3-1+deb8u2

Metadata

Package Version Patches format
sudo 1.8.10p3-1+deb8u2 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
typo in classic insults.diff | (download)

plugins/sudoers/ins_classic.h | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---
paths in samples.diff | (download)

doc/sample.sudoers | 10 5 + 5 - 0 !
1 file changed, 5 insertions(+), 5 deletions(-)

---
Fix for broken FQDN host specifications.diff | (download)

plugins/sudoers/sudoers.c | 45 41 + 4 - 0 !
1 file changed, 41 insertions(+), 4 deletions(-)

 fix for broken fqdn host specifications

A bug was introduced in sudo 1.8.8 which broke host specifications using a
FQDN, eg Host_Alias = host.example.com. Upstream has fixed this in 1.8.12.

This patch contains the fix backported to 1.8.10p3.

future timestamp.diff | (download)

plugins/sudoers/boottime.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

---
CVE 2014 9680 1.patch | (download)

configure | 33 33 + 0 - 0 !
configure.ac | 7 7 + 0 - 0 !
doc/sudoers.cat | 38 27 + 11 - 0 !
doc/sudoers.man.in | 36 34 + 2 - 0 !
doc/sudoers.mdoc.in | 29 27 + 2 - 0 !
m4/sudo.m4 | 20 20 + 0 - 0 !
pathnames.h.in | 4 4 + 0 - 0 !
plugins/sudoers/env.c | 57 55 + 2 - 0 !
8 files changed, 207 insertions(+), 17 deletions(-)

 cve-2014-9680: unsafe handling of tz environment variable
 The TZ environment variable was passed through unchecked.  Most libc
 tzset() implementations support passing an absolute pathname in the time
 zone to point to an arbitrary, user-controlled file.  This may be used
 to exploit bugs in the C library's TZ parser or open files the user
 would not otherwise have access to.  Arbitrary file access via TZ could
 also be used in a denial of service attack by reading from a file or
 fifo that will block.
CVE 2014 9680 2.patch | (download)

doc/sudoers.cat | 6 3 + 3 - 0 !
doc/sudoers.man.in | 6 4 + 2 - 0 !
doc/sudoers.mdoc.in | 6 4 + 2 - 0 !
3 files changed, 11 insertions(+), 7 deletions(-)

 document handling of leading ':' when checking tz variable
 Document that a leading ':' is skipped when checking TZ for a
 fully-qualified path name.