[Secure-testing-team] Bug#580342: sudo: Memory access after free()

[Alexandra N. Kossovsky]

Package: sudo-ldap
Version: 1.6.9p17-2+lenny1
Severity: grave
Tags: security patch
Justification: user security hole

Hello.

Following patch fixes memory access after free():

--- parse.c	2010-05-05 13:43:20.000000000 +0400
+++ parse.c.fixed	2010-05-05 13:42:45.000000000 +0400
@@ -316,9 +316,11 @@
 		break;
 	    }
 	}
-	globfree(&gl);
-	if (*ap == NULL)
+	if (*ap == NULL) {
+	    globfree(&gl);
 	    return(FALSE);
+	}
+	globfree(&gl);
 
 	if (!sudoers_args ||
 	    (!user_args && sudoers_args && !strcmp("\"\"", sudoers_args)) ||


Since ap points to the memory inside gl_pathv, it is not correct to
check ap value when gl is freed.  sudo is a security sensitive
application, and there may be various effects of such access.

I've created this patch after exploring the problem similar to Debian
bugs 556562 578601.  The patch fixes my problem.

Thank you for your work for Debian,
    Alexandra.

-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages sudo-ldap depends on:
ii  libc6                    2.7-18lenny2    GNU C Library: Shared libraries
ii  libldap-2.4-2            2.4.11-1+lenny1 OpenLDAP libraries
ii  libpam-modules           1.0.1-5+lenny1  Pluggable Authentication Modules f
ii  libpam0g                 1.0.1-5+lenny1  Pluggable Authentication Modules l

sudo-ldap recommends no packages.

sudo-ldap suggests no packages.

-- debconf-show failed

-- 
Alexandra N. Kossovsky
OKTET Labs (http://www.oktetlabs.ru/)
Phones: +7(921)956-42-86(mobile) +7(812)783-21-91(office)
e-mail: sasha at oktetlabs.ru