Bug 9

Summary: Sudo should clear LANGUAGE etc. environment.
Product: Sudo Reporter: Jarno Huuskonen <jhuuskon>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: high    
Priority: normal    
Version: 1.6.3   
Hardware: PC   
OS: Linux   

Description Jarno Huuskonen 2000-10-03 06:23:49 MDT 
Hi,

With the recent format string errors sudo should clear LANGUAGE, LC_xxx,
NLSPATH etc. environment, because otherwise a user who can run a program
with root privs. can use their own i18n messages from /tmp/LC_MESSAGES. T
his pretty much guarantees the user permanent root access because the
messages can contain formatting characters (and because the program is run
with uid==euid at least glibc loads messages from /tmp/LC_MESSAGES if
LANGUAGE=../../../tmp)

I realize this is not a sudo 'bug' but I think it would be good idea to
protect the admins anyway.

-Jarno

PS. I marked this as a Linux bug, but this affects other 'Unices' as well.
Comment 1 Jarno Huuskonen 2000-10-04 04:32:59 MDT 
Just clearing the LANG... etc. env.variables if they contain '/' might be
enough, but for the really paranoid just clear them all.

For some reference about the format string / locale errors see bugtraq posts
about glibc locale/solaris locale etc. (www.securityfocus.com -->
vulnerabilities)
Comment 2 Todd C. Miller 2001-02-19 07:39:59 MST 
I have code to do all this in my current source tree so this will be present in
the next release.
Comment 3 Todd C. Miller 2001-12-12 14:05:59 MST 
Sudo 1.6.4 will include the ability to manipulate the environment including what variables to
remove/preserve.  By default LANGUAGE and LC_* will be cleared.  Expected release date is some
time in January depending on how the beta goes.