Debian Bug report logs - #349729
sudo: Removes all user environment variables except TERM, LANG and LANGUAGE

version graph

Package: sudo; Maintainer for sudo is Bdale Garbee <bdale@gag.com>; Source for sudo is src:sudo.

Reported by: Jeremy Yoder <yoderj@ugs.com>

Date: Tue, 24 Jan 2006 22:18:07 UTC

Severity: critical

Tags: patch

Merged with 349196, 349549, 349587

Found in version sudo/1.6.8p7-1.3

Fixed in version sudo/1.6.8p12-2

Done: Steve Langasek <vorlon@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#349729; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Jeremy Yoder <yoderj@ugs.com>:
New Bug report received and forwarded. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Jeremy Yoder <yoderj@ugs.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: sudo: Removes all user environment variables except TERM, LANG and LANGUAGE
Date: Tue, 24 Jan 2006 17:01:49 -0500
Package: sudo
Version: 1.6.8p7-1.3
Severity: critical
Justification: breaks unrelated software

This version of sudo is practically unuseable because all environment
variables are removed.  Try the following in 1.6.8p7-1.2 and
1.6.8p7-1.3:

sudo env

You'll quickly notice that none of the user environment variables are
passed anymore.


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.27-2-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages sudo depends on:
ii  libc6                       2.3.2.ds1-22 GNU C Library: Shared libraries an
ii  libpam-modules              0.76-22      Pluggable Authentication Modules f
ii  libpam0g                    0.76-22      Pluggable Authentication Modules l

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#349729; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Jeremy Yoder <jeremy.yoder@ugs.com>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #10 received at 349729@bugs.debian.org (full text, mbox):

From: Jeremy Yoder <jeremy.yoder@ugs.com>
To: 349729@bugs.debian.org
Subject: Re: Bug#349729: (sudo: Removes all user environment variables except TERM, LANG and LANGUAGE)
Date: Tue, 24 Jan 2006 17:27:29 -0500
[Message part 1 (text/plain, inline)]
After reviewing the patch differences between 1.2 and 1.3 I can see why 
it's broken.  Looks like joey@infodrom.org submitted a half-done 
security patch.

His end goal of making sudo require users to white-list environment 
variables rather than black-list them may have merit or it may not.  It 
doesn't matter though, since his code doesn't allow for a white-list, it 
just removes EVERYTHING.

This change is the only difference between 1.2 and 1.3.

Please undo all of his 1.3 changes ASAP.  This version is totally hosed.


<mailto:Jeremy.Yoder@ugs.com>

[jeremy.yoder.vcf (text/x-vcard, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#349729; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Freek Dijkstra <freek@macfreek.nl>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #15 received at 349729@bugs.debian.org (full text, mbox):

From: Freek Dijkstra <freek@macfreek.nl>
To: 349729@bugs.debian.org
Subject: Intended behaviour
Date: Sat, 28 Jan 2006 20:06:50 +0100
Apparently, this is intended behaviour:

http://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00019.html

I applaud the security team for reacting so prompt, thought I think it 
this particular bug fix is an excellent example how NOT do to it. You're 
definately not the only one who are affected (everyone using sudo is 
affected). In this case, the user should have presented a big warning 
during the apt-get upgrade, telling he/she should alter /etc/sudoers.

FYI: I first considered downgrading, since I rather have a working sudo, 
security fix or not. I'm afraid, I can only regard this as very bad 
publicity for the security team.

Regards,
Freek



Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#349729; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to mschoechlin@256bit.org:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #20 received at 349729@bugs.debian.org (full text, mbox):

From: mschoechlin@256bit.org
To: Debian Bug Tracking System <349729@bugs.debian.org>
Subject: sudo: setting env_reset brings up the old behaviour
Date: Sun, 29 Jan 2006 21:42:03 +0100
Package: sudo
Version: 1.6.8p7-1.3
Followup-For: Bug #349729


Hi !

There is something wrong with that sudo release.

Setting the variable give back the old behaviour.
----
Defaults:<username invoking sudo> env_reset
----
Best regards

Marc Schoechlin

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.11-1-686
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)

Versions of packages sudo depends on:
ii  libc6                       2.3.2.ds1-22 GNU C Library: Shared libraries an
ii  libpam-modules              0.76-22      Pluggable Authentication Modules f
ii  libpam0g                    0.76-22      Pluggable Authentication Modules l

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#349729; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #25 received at 349729@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: 349729@bugs.debian.org
Subject: whitelist
Date: Fri, 10 Feb 2006 07:28:47 +0100
Please read the advisory again:
http://www.debian.org/security/2006/dsa-946

It says:

   "Additional variables are only passed through when set as env_check
   in /etc/sudoers, which might be required for some scripts to
   continue to work."

Use

Defaults        env_check = HOME

in /etc/sudoers for example.

Regards,

	Joey

-- 
Linux - the choice of a GNU generation.

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#349729; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Jan Grant <jan.grant@bristol.ac.uk>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #30 received at 349729@bugs.debian.org (full text, mbox):

From: Jan Grant <jan.grant@bristol.ac.uk>
To: 349729@bugs.debian.org
Subject: Re: Bug#349729 Was: sudo update to 1.6.8p7-1.3 breaks scripts: is this the permanent fix?
Date: Fri, 10 Feb 2006 09:40:50 +0000 (GMT)
Apologies for resubmission; I've jsut found this bug report. I'd like to 
add my voice to the requests that this be re-evaluated. In particular, 
"env_check" does not suffice.

See below:

From: Jan Grant <jan.grant@bristol.ac.uk>
Subject: sudo update to 1.6.8p7-1.3 breaks scripts: is this the permanent fix?

I'm looking at this:

	http://www.debian.org/security/2006/dsa-946

I'm afraid I was just bitten by this. Sudo no longer conforms to the 
behaviour described in its man pages: in particular, I don't mind if my 
environment is stripped away from me but I'd expect that env_keep would 
carry on working, or that I'd be able to supply "!env_reset" to avoid 
the sanitisation in specific cases.

The issue I'm facing is that I have a large collection of scripts that 
rely on sudo, and need environment variables passing through from caller 
to callee. Unfortunately, the format of those variables' content 
includes "/" characters - this is unavoidable. Alas, env_keep, etc, no 
longer work as described.

I'm currently working around this by holding my sudo at 1.6.8p7-1.2; 
however, I'd prefer to be able to track it normally.

Are the future plans for sudo to include this rather draconian "fix"? Is 
this coming from upstream? (In which case I'll chase it with the 
upstream supplier.) Otherwise I'd plead that the changes to sudo be 
relaxed somewhat.

Many thanks for your excellent efforts.

Cheers,
jan

-- 
jan grant, ISYS, University of Bristol. http://www.bris.ac.uk/
Tel +44 (0)117 3317661   http://ioctl.org/jan/
The Java disclaimer: values of 'anywhere' may vary between regions.



Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#349729; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Andrew Archibald <andrew.archibald@mail.mcgill.ca>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #35 received at 349729@bugs.debian.org (full text, mbox):

From: Andrew Archibald <andrew.archibald@mail.mcgill.ca>
To: 349729@bugs.debian.org
Subject: Unable to preserve HOME
Date: Thu, 16 Feb 2006 13:50:16 -0500
Hi,

Since env_keep has been disabled, the only way to preserve the values of
environment variables is with env_check; this removes any environment
variable whose value contains a "/". In particular, and in contradiction
to the example posted in this bug report, HOME can almost never be
passed at all with this configuration. This renders many programs
basically unusable.

Why has env_keep been disabled? It allows the preservation of individual
environment variables at the user's discretion.

Andrew



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#349729; Package sudo. Full text and rfc822 format available.

Acknowledgement sent to Bdale Garbee <bdale@gag.com>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #40 received at 349729@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: Andrew Archibald <andrew.archibald@mail.mcgill.ca>, 349729@bugs.debian.org
Subject: Re: Bug#349729: Unable to preserve HOME
Date: Fri, 17 Feb 2006 01:36:02 +0100
On Thu, 2006-02-16 at 13:50 -0500, Andrew Archibald wrote:
> Hi,
> 
> Since env_keep has been disabled

It has not been disabled, there just appears to be a need to issue an
env_reset before the env_keep or the upstream code does not do quite
what you expect.

Try something like:

	Defaults  env_reset,env_keep+="DISPLAY HOME XAUTHORIZATION"

Bdale




Merged 349196 349549 349587 349729. Request was from Jeroen van Wolffelaar <jeroen@wolffelaar.nl> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: patch Request was from Jeroen van Wolffelaar <jeroen@wolffelaar.nl> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Bdale Garbee <bdale@gag.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Jeremy Yoder <yoderj@ugs.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #49 received at 349196-close@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: 349196-close@bugs.debian.org
Subject: Bug#349196: fixed in sudo 1.6.8p12-2
Date: Sun, 02 Apr 2006 15:02:19 -0700
Source: sudo
Source-Version: 1.6.8p12-2

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:

sudo-ldap_1.6.8p12-2_i386.deb
  to pool/main/s/sudo/sudo-ldap_1.6.8p12-2_i386.deb
sudo_1.6.8p12-2.diff.gz
  to pool/main/s/sudo/sudo_1.6.8p12-2.diff.gz
sudo_1.6.8p12-2.dsc
  to pool/main/s/sudo/sudo_1.6.8p12-2.dsc
sudo_1.6.8p12-2_i386.deb
  to pool/main/s/sudo/sudo_1.6.8p12-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 349196@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun,  2 Apr 2006 14:26:20 -0700
Source: sudo
Binary: sudo-ldap sudo
Architecture: source i386
Version: 1.6.8p12-2
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description: 
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 161012 203874 220808 228551 292833 314949 315115 315718 346325 349085 349129 349196 349549 349587 349729 350776 354431
Changes: 
 sudo (1.6.8p12-2) unstable; urgency=low
 .
   * fix typos in init scripts, closes: #346325
   * update to debhelper compat level 5
   * build depend on autotools-dev to ensure config.sub/guess are fresh
   * accept patch from Martin Schulze developed for 1.6.8p7-1.4 in stable, and
     use it here as well.  Thanks to Martin and the debian-security team.
     closes: #349196, #349549, #349587, #349729, #349129, #350776, #349085
     closes: #315115, #315718, #203874
     * Non-maintainer upload by the Security Team
     * Reworked the former patch to limit environment variables from being
       passed through, set env_reset as default instead [sudo.c, env.c,
       sudoers.pod, Bug#342948, CVE-2005-4158]
     * env_reset is now set by default
     * env_reset will preserve only HOME, LOGNAME, PATH, SHELL, TERM,
       DISPLAY, XAUTHORITY, XAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER
       (in addition to the SUDO_* variables)
     * Rebuild sudoers.man.in from the POD file
     * Added README.Debian
   * patch from Alexander Zangerl to fix duplicated PATH issue, closes: #354431
   * simplify rules file by using more of Makefile, despite having to override
     default directories with more arguments to configure, closes: #292833
   * update sudo man page to reflect use of SECURE_PATH, closes: #228551
   * inconsistencies in sudoers man page resolved, closes: #220808, #161012
   * patch from Jeroen van Wolffelaar to improve behavior when FQDNs are
     unresolveable (requires adding bison as build dep), closes: #314949
Files: 
 73d77951ae86e88e906d28d0f94abb33 615 admin optional sudo_1.6.8p12-2.dsc
 b3205e53c871e64824c6b338c9fa8a35 33108 admin optional sudo_1.6.8p12-2.diff.gz
 22698e7f33a3f7179ec3ab59d24e4fec 161506 admin optional sudo_1.6.8p12-2_i386.deb
 d2418ccc65a98154b15c7b3c1342462b 173910 admin optional sudo-ldap_1.6.8p12-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEMEhZZKfAp/LPAagRAkw0AJwJq5L7amKiN48J0ldHRH3Sv29yFACbBi1b
LP3jMinYQ8qNMfE81BL1G9U=
=NSf8
-----END PGP SIGNATURE-----




Reply sent to Bdale Garbee <bdale@gag.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Jeremy Yoder <yoderj@ugs.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #54 received at 349549-close@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: 349549-close@bugs.debian.org
Subject: Bug#349549: fixed in sudo 1.6.8p12-2
Date: Sun, 02 Apr 2006 15:02:19 -0700
Source: sudo
Source-Version: 1.6.8p12-2

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:

sudo-ldap_1.6.8p12-2_i386.deb
  to pool/main/s/sudo/sudo-ldap_1.6.8p12-2_i386.deb
sudo_1.6.8p12-2.diff.gz
  to pool/main/s/sudo/sudo_1.6.8p12-2.diff.gz
sudo_1.6.8p12-2.dsc
  to pool/main/s/sudo/sudo_1.6.8p12-2.dsc
sudo_1.6.8p12-2_i386.deb
  to pool/main/s/sudo/sudo_1.6.8p12-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 349549@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun,  2 Apr 2006 14:26:20 -0700
Source: sudo
Binary: sudo-ldap sudo
Architecture: source i386
Version: 1.6.8p12-2
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description: 
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 161012 203874 220808 228551 292833 314949 315115 315718 346325 349085 349129 349196 349549 349587 349729 350776 354431
Changes: 
 sudo (1.6.8p12-2) unstable; urgency=low
 .
   * fix typos in init scripts, closes: #346325
   * update to debhelper compat level 5
   * build depend on autotools-dev to ensure config.sub/guess are fresh
   * accept patch from Martin Schulze developed for 1.6.8p7-1.4 in stable, and
     use it here as well.  Thanks to Martin and the debian-security team.
     closes: #349196, #349549, #349587, #349729, #349129, #350776, #349085
     closes: #315115, #315718, #203874
     * Non-maintainer upload by the Security Team
     * Reworked the former patch to limit environment variables from being
       passed through, set env_reset as default instead [sudo.c, env.c,
       sudoers.pod, Bug#342948, CVE-2005-4158]
     * env_reset is now set by default
     * env_reset will preserve only HOME, LOGNAME, PATH, SHELL, TERM,
       DISPLAY, XAUTHORITY, XAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER
       (in addition to the SUDO_* variables)
     * Rebuild sudoers.man.in from the POD file
     * Added README.Debian
   * patch from Alexander Zangerl to fix duplicated PATH issue, closes: #354431
   * simplify rules file by using more of Makefile, despite having to override
     default directories with more arguments to configure, closes: #292833
   * update sudo man page to reflect use of SECURE_PATH, closes: #228551
   * inconsistencies in sudoers man page resolved, closes: #220808, #161012
   * patch from Jeroen van Wolffelaar to improve behavior when FQDNs are
     unresolveable (requires adding bison as build dep), closes: #314949
Files: 
 73d77951ae86e88e906d28d0f94abb33 615 admin optional sudo_1.6.8p12-2.dsc
 b3205e53c871e64824c6b338c9fa8a35 33108 admin optional sudo_1.6.8p12-2.diff.gz
 22698e7f33a3f7179ec3ab59d24e4fec 161506 admin optional sudo_1.6.8p12-2_i386.deb
 d2418ccc65a98154b15c7b3c1342462b 173910 admin optional sudo-ldap_1.6.8p12-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEMEhZZKfAp/LPAagRAkw0AJwJq5L7amKiN48J0ldHRH3Sv29yFACbBi1b
LP3jMinYQ8qNMfE81BL1G9U=
=NSf8
-----END PGP SIGNATURE-----




Reply sent to Bdale Garbee <bdale@gag.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Jeremy Yoder <yoderj@ugs.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #59 received at 349587-close@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: 349587-close@bugs.debian.org
Subject: Bug#349587: fixed in sudo 1.6.8p12-2
Date: Sun, 02 Apr 2006 15:02:19 -0700
Source: sudo
Source-Version: 1.6.8p12-2

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:

sudo-ldap_1.6.8p12-2_i386.deb
  to pool/main/s/sudo/sudo-ldap_1.6.8p12-2_i386.deb
sudo_1.6.8p12-2.diff.gz
  to pool/main/s/sudo/sudo_1.6.8p12-2.diff.gz
sudo_1.6.8p12-2.dsc
  to pool/main/s/sudo/sudo_1.6.8p12-2.dsc
sudo_1.6.8p12-2_i386.deb
  to pool/main/s/sudo/sudo_1.6.8p12-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 349587@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun,  2 Apr 2006 14:26:20 -0700
Source: sudo
Binary: sudo-ldap sudo
Architecture: source i386
Version: 1.6.8p12-2
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description: 
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 161012 203874 220808 228551 292833 314949 315115 315718 346325 349085 349129 349196 349549 349587 349729 350776 354431
Changes: 
 sudo (1.6.8p12-2) unstable; urgency=low
 .
   * fix typos in init scripts, closes: #346325
   * update to debhelper compat level 5
   * build depend on autotools-dev to ensure config.sub/guess are fresh
   * accept patch from Martin Schulze developed for 1.6.8p7-1.4 in stable, and
     use it here as well.  Thanks to Martin and the debian-security team.
     closes: #349196, #349549, #349587, #349729, #349129, #350776, #349085
     closes: #315115, #315718, #203874
     * Non-maintainer upload by the Security Team
     * Reworked the former patch to limit environment variables from being
       passed through, set env_reset as default instead [sudo.c, env.c,
       sudoers.pod, Bug#342948, CVE-2005-4158]
     * env_reset is now set by default
     * env_reset will preserve only HOME, LOGNAME, PATH, SHELL, TERM,
       DISPLAY, XAUTHORITY, XAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER
       (in addition to the SUDO_* variables)
     * Rebuild sudoers.man.in from the POD file
     * Added README.Debian
   * patch from Alexander Zangerl to fix duplicated PATH issue, closes: #354431
   * simplify rules file by using more of Makefile, despite having to override
     default directories with more arguments to configure, closes: #292833
   * update sudo man page to reflect use of SECURE_PATH, closes: #228551
   * inconsistencies in sudoers man page resolved, closes: #220808, #161012
   * patch from Jeroen van Wolffelaar to improve behavior when FQDNs are
     unresolveable (requires adding bison as build dep), closes: #314949
Files: 
 73d77951ae86e88e906d28d0f94abb33 615 admin optional sudo_1.6.8p12-2.dsc
 b3205e53c871e64824c6b338c9fa8a35 33108 admin optional sudo_1.6.8p12-2.diff.gz
 22698e7f33a3f7179ec3ab59d24e4fec 161506 admin optional sudo_1.6.8p12-2_i386.deb
 d2418ccc65a98154b15c7b3c1342462b 173910 admin optional sudo-ldap_1.6.8p12-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEMEhZZKfAp/LPAagRAkw0AJwJq5L7amKiN48J0ldHRH3Sv29yFACbBi1b
LP3jMinYQ8qNMfE81BL1G9U=
=NSf8
-----END PGP SIGNATURE-----




Reply sent to Bdale Garbee <bdale@gag.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Jeremy Yoder <yoderj@ugs.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #64 received at 349729-close@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: 349729-close@bugs.debian.org
Subject: Bug#349729: fixed in sudo 1.6.8p12-2
Date: Sun, 02 Apr 2006 15:02:19 -0700
Source: sudo
Source-Version: 1.6.8p12-2

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:

sudo-ldap_1.6.8p12-2_i386.deb
  to pool/main/s/sudo/sudo-ldap_1.6.8p12-2_i386.deb
sudo_1.6.8p12-2.diff.gz
  to pool/main/s/sudo/sudo_1.6.8p12-2.diff.gz
sudo_1.6.8p12-2.dsc
  to pool/main/s/sudo/sudo_1.6.8p12-2.dsc
sudo_1.6.8p12-2_i386.deb
  to pool/main/s/sudo/sudo_1.6.8p12-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 349729@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun,  2 Apr 2006 14:26:20 -0700
Source: sudo
Binary: sudo-ldap sudo
Architecture: source i386
Version: 1.6.8p12-2
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description: 
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 161012 203874 220808 228551 292833 314949 315115 315718 346325 349085 349129 349196 349549 349587 349729 350776 354431
Changes: 
 sudo (1.6.8p12-2) unstable; urgency=low
 .
   * fix typos in init scripts, closes: #346325
   * update to debhelper compat level 5
   * build depend on autotools-dev to ensure config.sub/guess are fresh
   * accept patch from Martin Schulze developed for 1.6.8p7-1.4 in stable, and
     use it here as well.  Thanks to Martin and the debian-security team.
     closes: #349196, #349549, #349587, #349729, #349129, #350776, #349085
     closes: #315115, #315718, #203874
     * Non-maintainer upload by the Security Team
     * Reworked the former patch to limit environment variables from being
       passed through, set env_reset as default instead [sudo.c, env.c,
       sudoers.pod, Bug#342948, CVE-2005-4158]
     * env_reset is now set by default
     * env_reset will preserve only HOME, LOGNAME, PATH, SHELL, TERM,
       DISPLAY, XAUTHORITY, XAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER
       (in addition to the SUDO_* variables)
     * Rebuild sudoers.man.in from the POD file
     * Added README.Debian
   * patch from Alexander Zangerl to fix duplicated PATH issue, closes: #354431
   * simplify rules file by using more of Makefile, despite having to override
     default directories with more arguments to configure, closes: #292833
   * update sudo man page to reflect use of SECURE_PATH, closes: #228551
   * inconsistencies in sudoers man page resolved, closes: #220808, #161012
   * patch from Jeroen van Wolffelaar to improve behavior when FQDNs are
     unresolveable (requires adding bison as build dep), closes: #314949
Files: 
 73d77951ae86e88e906d28d0f94abb33 615 admin optional sudo_1.6.8p12-2.dsc
 b3205e53c871e64824c6b338c9fa8a35 33108 admin optional sudo_1.6.8p12-2.diff.gz
 22698e7f33a3f7179ec3ab59d24e4fec 161506 admin optional sudo_1.6.8p12-2_i386.deb
 d2418ccc65a98154b15c7b3c1342462b 173910 admin optional sudo-ldap_1.6.8p12-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEMEhZZKfAp/LPAagRAkw0AJwJq5L7amKiN48J0ldHRH3Sv29yFACbBi1b
LP3jMinYQ8qNMfE81BL1G9U=
=NSf8
-----END PGP SIGNATURE-----




Bug reopened, originator not changed. Request was from Cyril Bouthors <cyb@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 1.6.8p12-2, send any further explanations to Berend Reitsma <breitsma@gmail.com> Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 01:31:15 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 18:47:13 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.