Bug 559 – Using -s option causes segfault

Bug 559 - Using -s option causes segfault


Summary:	Using -s option causes segfault

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.7.9
Hardware:	All All

Importance:	low normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2012-06-14 15:44 MDT by Howard Kash
Modified:	2012-09-12 15:04 MDT (History)
CC List:	0 users

See Also:

Attachments
Fix for "sudo -s command" crash (1.19 KB, patch) 2012-06-14 16:22 MDT, Todd C. Miller	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Howard Kash 2012-06-14 15:44:34 MDT

I believe the problem is in the code starting on line 726 of sudo.c.  The value of NewArgv[0] ends up being NULL and the strlen(infile) call in find_path.c segfaults on a NULL pointer.  The value of av[0], set to user_shell on line 726 od sudo.c, is subsequently replaced with a new value in the for loop on line 734.  Moving the av[0]=user_shell line to just before the av[1]="-c" line (line 747) fixes the problem.

Comment 1 Todd C. Miller 2012-06-14 16:22:00 MDT

Created attachment 352 [details]
Fix for "sudo -s command" crash

This was due to a mis-merge from sudo trunk.  The attached patch moves the allocation until after the command has been escaped which fixes the problem.

Comment 2 Todd C. Miller 2012-09-12 15:04:50 MDT

Fixed in sudo 1.7.10.