Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11]) by www.NetBSD.org (Postfix) with ESMTP id D4BB363B8EB for ; Thu, 3 Jun 2010 14:53:15 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 0) id 7FF2263B116; Thu, 3 Jun 2010 14:53:15 +0000 (UTC) Received: from cvs.netbsd.org (cvs.NetBSD.org [IPv6:2001:4f8:3:7:2e0:81ff:fe30:95bd]) by mail.netbsd.org (Postfix) with ESMTP id 8955563B265 for ; Thu, 3 Jun 2010 14:53:14 +0000 (UTC) Received: by cvs.netbsd.org (Postfix, from userid 500) id 74A93175DD; Thu, 3 Jun 2010 14:53:14 +0000 (UTC) MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: binary Content-Type: text/plain Date: Thu, 3 Jun 2010 14:53:14 +0000 From: Takahiro Kambe Subject: CVS commit: pkgsrc/security/sudo To: pkgsrc-changes@NetBSD.org Reply-To: taca@netbsd.org X-Mailer: log_accum Message-Id: <20100603145314.74A93175DD@cvs.netbsd.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: list Module Name: pkgsrc Committed By: taca Date: Thu Jun 3 14:53:14 UTC 2010 Modified Files: pkgsrc/security/sudo: Makefile distinfo Log Message: Update security/sudo package to 1.7.2p7. For more detail: http://www.sudo.ws/sudo/alerts/secure_path.html Summary: Sudo "secure path" feature works by replacing the PATH environment variable with a value specified in the sudoers file, or at compile time if the --with-secure-path configure option is used. The flaw is that sudo only replaces the first instance of PATH in the environment. If the program being run through sudo uses the last instance of PATH in the environment, an attacker may be able to avoid the "secure path" restrictions. Sudo versions affected: Sudo 1.3.1 through 1.6.9p22 and Sudo 1.7.0 through 1.7.2p6. To generate a diff of this commit: cvs rdiff -u -r1.120 -r1.121 pkgsrc/security/sudo/Makefile cvs rdiff -u -r1.62 -r1.63 pkgsrc/security/sudo/distinfo Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.