Bug 42

Summary: Incomplete Logging Code
Product: Sudo Reporter: Florian.Weimer
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED WONTFIX    
Severity: normal    
Priority: normal    
Version: 1.6.3   
Hardware: All   
OS: All   
URL: http://cert.uni-stuttgart.de/archive/bugtraq/2001/02/msg00507.html

Description Florian.Weimer 2001-06-15 09:10:38 MDT
The logging code (in which the buffer overflow was found, which turned out
to be exploitable at least on some platforms) can be tricked into not logging
all information. Please see the attached URL for an analysis of the problem.
Comment 1 Todd C. Miller 2001-06-15 10:12:59 MDT
I don't consider this a problem since even if the long word was passed to syslog() it would get truncated anyway (since syslog has its own line length limits).  Please note that long commands are still logged, it is only long *words* (> ~900 characters) that are truncated.  In normal (non-attack) usage this simply does not occur.