Red Hat Bugzilla – Bug 903020
sudoers containing specially crafted aliases causes segfault of visudo
Last modified: 2013-02-21 04:45:14 EST
Description of problem: Sudoers file containing specially crafted aliases causes segfault of visudo. Version-Release number of selected component (if applicable): sudo-1.8.6p3-6.el6 How reproducible: Always Steps to Reproduce: 1. cat <<EOF >>/etc/sudoers User_Alias YYY = FOO User_Alias XXX = nobody User_Alias FOO = XXX,YYY FOO ALL=(ALL) NOPASSWD: ALL EOF 2. visudo -c 3. echo $? Actual results: 2. visudo: Warning: cycle in User_Alias `FOO' Segmentation fault (core dumped) 3. 139 Expected results: No segfault, works Additional info: If you insert these aliases with "visudo" it will segfault and changes won't store. Unfortunatelly when you store this arbitrary code by some other tool (vim, cat, ...) you won't be able to delete it with visudo because of segfault.
This should be easily fixable. I'll try to prepare a patch ASAP.
Created attachment 685835 [details] proposed patch
Upstream reply: http://www.sudo.ws/pipermail/sudo-workers/2013-January/000790.html
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0363.html