Bug 492981
| Summary: | sudo NULL derefernce segfault | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Josh Bressers <bressers> |
| Component: | sudo | Assignee: | Daniel Kopeček <dkopecek> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 10 | CC: | dkopecek, kzak, mmcgrath, mvadkert |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-08-20 14:05:30 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 517000 | ||
Fixed in the current version of sudo in F-10 (and also in F-11 and rawhide). |
Mike McGrath reported a segfault in sudo to the Red Hat Security Response Team. Upon investigating this, it turned out to be a NULL dereference crash, but we still don't like those in sudo. Here are the details (I'm using the F10 srpm as my source here) If you run sudo with the argument -u '#111' where the UID doesn't exist, it will segfault. The command line for the below gdb session was: (gdb) run -u '#111' If I I break in runas_setgroups() (gdb) frame #0 runas_setgroups () at set_perms.c:431 431 if (initgroups(pw->pw_name, pw->pw_gid) < 0) (gdb) print *pw $4 = {pw_name = 0x0, pw_passwd = 0x0, pw_uid = 111, pw_gid = 0, pw_gecos = 0x0, pw_dir = 0x0, pw_shell = 0x0} This is the result of code in sudo.c:1266 that creates a fake zeroed passwd structure. The initgroups function does specify that the user argument cannot be NULL.