sudo/sme9/sudo-1.8.6p3-CVE-2014-9680.patch

diff -up sudo-1.8.6p3/aclocal.m4.CVE-2014-9680 sudo-1.8.6p3/aclocal.m4
--- sudo-1.8.6p3/aclocal.m4.CVE-2014-9680       2012-09-18 15:56:28.000000000 +0200
+++ sudo-1.8.6p3/aclocal.m4     2015-03-31 12:55:08.392841672 +0200
@@ -156,6 +156,25 @@ AC_DEFUN([SUDO_IO_LOGDIR], [
     AC_MSG_RESULT($iolog_dir)
 ])dnl
 
+dnl Detect time zone file directory, if any.
+dnl
+AC_DEFUN([SUDO_TZDIR], [AC_MSG_CHECKING(time zone data directory)
+tzdir="$with_tzdir"
+if test -z "$tzdir"; then
+    tzdir=no
+    for d in /usr/share /usr/share/lib /usr/lib /etc; do
+       if test -d "$d/zoneinfo"; then
+           tzdir="$d/zoneinfo"
+           break
+       fi
+    done
+fi
+AC_MSG_RESULT([$tzdir])
+if test "${tzdir}" != "no"; then
+    SUDO_DEFINE_UNQUOTED(_PATH_ZONEINFO, "$tzdir")
+fi
+])dnl
+
 dnl
 dnl check for working fnmatch(3)
 dnl
diff -up sudo-1.8.6p3/configure.in.CVE-2014-9680 sudo-1.8.6p3/configure.in
--- sudo-1.8.6p3/configure.in.CVE-2014-9680     2015-03-31 12:55:08.375841856 +0200
+++ sudo-1.8.6p3/configure.in   2015-03-31 12:55:08.393841662 +0200
@@ -774,6 +774,12 @@ AC_ARG_WITH(iologdir, [AS_HELP_STRING([-
            ;;
 esac])
 
+AC_ARG_WITH(tzdir, [AS_HELP_STRING([--with-tzdir=DIR], [path to the time zone data directory])],
+[case $with_tzdir in
+    yes)       AC_MSG_ERROR(["must give --with-tzdir an argument."])
+               ;;
+esac])
+
 AC_ARG_WITH(sendmail, [AS_HELP_STRING([--with-sendmail], [set path to sendmail])
 AS_HELP_STRING([--without-sendmail], [do not send mail at all])],
 [case $with_sendmail in
@@ -3240,6 +3246,7 @@ fi
 SUDO_LOGFILE
 SUDO_TIMEDIR
 SUDO_IO_LOGDIR
+SUDO_TZDIR
 
 dnl
 dnl Turn warnings into errors.
diff -up sudo-1.8.6p3/doc/sudoers.cat.CVE-2014-9680 sudo-1.8.6p3/doc/sudoers.cat
--- sudo-1.8.6p3/doc/sudoers.cat.CVE-2014-9680  2015-03-31 12:55:08.365841964 +0200
+++ sudo-1.8.6p3/doc/sudoers.cat        2015-03-31 13:00:04.625640465 +0200
@@ -1421,20 +1421,36 @@ SSUUDDOOEERRSS OOPPTTIIOONN
 
      LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
 
-     env_check         Environment variables to be removed from the user's
-                       environment if the variable's value contains `%' or `/'
+      env_check        Environment variables to be removed from the user's
+                       environment if unless they are considered ``safe''.
+                       For all variables except TZ, ``safe'' means that the
+                       variable's value does not contain any `%' or `/'
                        characters.  This can be used to guard against printf-
                        style format vulnerabilities in poorly-written
-                       programs.  The argument may be a double-quoted, space-
-                       separated list or a single value without double-quotes.
-                       The list can be replaced, added to, deleted from, or
-                       disabled by using the =, +=, -=, and ! operators
-                       respectively.  Regardless of whether the env_reset
-                       option is enabled or disabled, variables specified by
-                       env_check will be preserved in the environment if they
-                       pass the aforementioned check.  The default list of
-                       environment variables to check is displayed when ssuuddoo
-                       is run by root with the --VV option.
+                       programs.  The TZ variable is considerd unsafe if any
+                       of the following are true:
+
+                       ++oo   It consists of a fully-qualified path name,
+                           optionally prefixed with a colon (`:'), that does
+                           not match the location of the _z_o_n_e_i_n_f_o directory.
+
+                       ++oo   It contains a _._. path element.
+
+                       ++oo   It contains white space or non-printable
+                           characters.
+
+                       ++oo   It is longer than the value of PATH_MAX.
+
+                       The argument may be a double-quoted, space-separated
+                       list or a single value without double-quotes.  The list
+                       can be replaced, added to, deleted from, or disabled by
+                       using the =, +=, -=, and ! operators respectively.
+                       Regardless of whether the env_reset option is enabled
+                       or disabled, variables specified by env_check will be
+                       preserved in the environment if they pass the
+                       aforementioned check.  The default list of environment
+                       variables to check is displayed when ssuuddoo is run by
+                       root with the --VV option.
 
      env_delete        Environment variables to be removed from the user's
                        environment when the _e_n_v___r_e_s_e_t option is not in effect.
diff -up sudo-1.8.6p3/doc/sudoers.man.in.CVE-2014-9680 sudo-1.8.6p3/doc/sudoers.man.in
--- sudo-1.8.6p3/doc/sudoers.man.in.CVE-2014-9680       2015-03-31 12:55:08.366841953 +0200
+++ sudo-1.8.6p3/doc/sudoers.man.in     2015-03-31 13:01:57.539420274 +0200
@@ -3002,14 +3002,47 @@ The default value is
 \fBLists that can be used in a boolean context\fR:
 .TP 18n
 env_check
-Environment variables to be removed from the user's environment if
-the variable's value contains
-`%'
+ Environment variables to be removed from the user's environment if
+unless they are considered
+\(lqsafe\(rq.
+For all variables except
+\fRTZ\fR,
+\(lqsafe\(rq
+means that the variable's value does not contain any
+\(oq%\(cq
 or
-`/'
+\(oq/\(cq
 characters.
 This can be used to guard against printf-style format vulnerabilities
 in poorly-written programs.
+The
+\fRTZ\fR
+variable is considerd unsafe if any of the following are true:
+.PP
+.RS 18n
+.PD 0
+.TP 4n
+\fB\(bu\fR
+It consists of a fully-qualified path name,
+optionally prefixed with a colon
+(\(oq:\&\(cq),
+that does not match the location of the
+\fIzoneinfo\fR
+directory.
+.PD
+.TP 4n
+\fB\(bu\fR
+It contains a
+\fI..\fR
+path element.
+.TP 4n
+\fB\(bu\fR
+It contains white space or non-printable characters.
+.TP 4n
+\fB\(bu\fR
+It is longer than the value of
+\fRPATH_MAX\fR.
+.PP
 The argument may be a double-quoted, space-separated list or a
 single value without double-quotes.
 The list can be replaced, added to, deleted from, or disabled by using
@@ -3031,6 +3064,7 @@ is run by root with
 the
 \fB\-V\fR
 option.
+.RE
 .TP 18n
 env_delete
 Environment variables to be removed from the user's environment when the
diff -up sudo-1.8.6p3/doc/sudoers.mdoc.in.CVE-2014-9680 sudo-1.8.6p3/doc/sudoers.mdoc.in
--- sudo-1.8.6p3/doc/sudoers.mdoc.in.CVE-2014-9680      2015-03-31 12:55:08.366841953 +0200
+++ sudo-1.8.6p3/doc/sudoers.mdoc.in    2015-03-31 13:03:21.721510569 +0200
@@ -2791,13 +2791,40 @@ The default value is
 .Bl -tag -width 16n
 .It env_check
 Environment variables to be removed from the user's environment if
-the variable's value contains
+unless they are considered
+.Dq safe .
+For all variables except
+.Li TZ ,
+.Dq safe
+means that the variable's value does not contain any
 .Ql %
 or
 .Ql /
 characters.
 This can be used to guard against printf-style format vulnerabilities
 in poorly-written programs.
+The
+.Li TZ 
+variable is considerd unsafe if any of the following are true:
+.Bl -bullet
+.It
+It consists of a fully-qualified path name,
+optionally prefixed with a colon
+.Pq Ql :\& ,
+that does not match the location of the
+.Pa zoneinfo
+directory.
+.It
+It contains a
+.Pa ..
+path element.
+.It
+It contains white space or non-printable characters.
+.It
+It is longer than the value of
+.Li PATH_MAX .
+.El
+.Pp
 The argument may be a double-quoted, space-separated list or a
 single value without double-quotes.
 The list can be replaced, added to, deleted from, or disabled by using
diff -up sudo-1.8.6p3/INSTALL.CVE-2014-9680 sudo-1.8.6p3/INSTALL
--- sudo-1.8.6p3/INSTALL.CVE-2014-9680  2012-09-18 15:57:43.000000000 +0200
+++ sudo-1.8.6p3/INSTALL        2015-03-31 12:55:08.394841651 +0200
@@ -461,6 +461,16 @@ The following options are also configura
        Override the default location of the sudo timestamp directory and
        use "path" instead.
 
+  --with-tzdir=DIR
+        Set the directory to the system's time zone data files.  This 
+       is only used when sanitizing the TZ environment variable to
+       allow for fully-qualified paths in TZ.
+        By default, configure will look for an existing "zoneinfo"
+       directory in the following locations:
+           /usr/share /usr/share/lib /usr/lib /etc
+       If no zoneinfo directory is found, the TZ variable may not
+       contain a fully-qualified path.
+
   --with-sendmail=PATH
        Override configure's guess as to the location of sendmail.
 
diff -up sudo-1.8.6p3/pathnames.h.in.CVE-2014-9680 sudo-1.8.6p3/pathnames.h.in
--- sudo-1.8.6p3/pathnames.h.in.CVE-2014-9680   2012-09-18 15:56:28.000000000 +0200
+++ sudo-1.8.6p3/pathnames.h.in 2015-03-31 12:55:08.394841651 +0200
@@ -168,3 +168,7 @@
 #ifndef _PATH_NETSVC_CONF
 #undef _PATH_NETSVC_CONF
 #endif /* _PATH_NETSVC_CONF */
+
+#ifndef _PATH_ZONEINFO
+# undef        _PATH_ZONEINFO
+#endif /* _PATH_ZONEINFO */
diff -up sudo-1.8.6p3/plugins/sudoers/env.c.CVE-2014-9680 sudo-1.8.6p3/plugins/sudoers/env.c
--- sudo-1.8.6p3/plugins/sudoers/env.c.CVE-2014-9680    2012-09-18 15:57:43.000000000 +0200
+++ sudo-1.8.6p3/plugins/sudoers/env.c  2015-03-31 12:55:08.394841651 +0200
@@ -198,6 +198,7 @@ static const char *initial_checkenv_tabl
     "LC_*",
     "LINGUAS",
     "TERM",
+    "TZ",
     NULL
 };
 
@@ -213,7 +214,6 @@ static const char *initial_keepenv_table
     "PATH",
     "PS1",
     "PS2",
-    "TZ",
     "XAUTHORITY",
     "XAUTHORIZATION",
     NULL
@@ -584,6 +584,54 @@ matches_env_delete(const char *var)
 }
 
 /*
+ * Sanity-check the TZ environment variable.
+ * On many systems it is possible to set this to a pathname.
+ */
+static bool
+tz_is_sane(const char *tzval)
+{
+    const char *cp;
+    char lastch;
+    debug_decl(tz_is_sane, SUDO_DEBUG_ENV)
+
+    /* tzcode treats a value beginning with a ':' as a path. */
+    if (tzval[0] == ':')
+       tzval++;
+
+    /* Reject fully-qualified TZ that doesn't being with the zoneinfo dir. */
+    if (tzval[0] == '/') {
+#ifdef _PATH_ZONEINFO
+       if (strncmp(tzval, _PATH_ZONEINFO, sizeof(_PATH_ZONEINFO) - 1) != 0 ||
+           tzval[sizeof(_PATH_ZONEINFO) - 1] != '/')
+           debug_return_bool(false);
+#else
+       /* Assume the worst. */
+       debug_return_bool(false);
+#endif
+    }
+
+    /*
+     * Make sure TZ only contains printable non-space characters
+     * and does not contain a '..' path element.
+     */
+    lastch = '/';
+    for (cp = tzval; *cp != '\0'; cp++) {
+       if (isspace((unsigned char)*cp) || !isprint((unsigned char)*cp))
+           debug_return_bool(false);
+       if (lastch == '/' && cp[0] == '.' && cp[1] == '.' &&
+           (cp[2] == '/' || cp[2] == '\0'))
+           debug_return_bool(false);
+       lastch = *cp;
+    }
+
+    /* Reject extra long TZ values (even if not a path). */
+    if ((size_t)(cp - tzval) >= PATH_MAX)
+       debug_return_bool(false);
+
+    debug_return_bool(true);
+}
+
+/*
  * Apply the env_check list.
  * Returns true if the variable is allowed, false if denied
  * or -1 if no match.
@@ -607,8 +655,13 @@ matches_env_check(const char *var)
            iswild = false;
        if (strncmp(cur->value, var, len) == 0 &&
            (iswild || var[len] == '=')) {
+         if (strncmp(var, "TZ=", 3) == 0 ) {
+           /* Sperial case for TZ */
+           keepit = tz_is_sane(var + 3);
+         } else {
            keepit = !strpbrk(var, "/%");
-           break;
+         }
+         break;
        }
     }
     debug_return_bool(keepit);
1	jpp	1.1	diff -up sudo-1.8.6p3/aclocal.m4.CVE-2014-9680 sudo-1.8.6p3/aclocal.m4
2			--- sudo-1.8.6p3/aclocal.m4.CVE-2014-9680 2012-09-18 15:56:28.000000000 +0200
3			+++ sudo-1.8.6p3/aclocal.m4 2015-03-31 12:55:08.392841672 +0200
4			@@ -156,6 +156,25 @@ AC_DEFUN([SUDO_IO_LOGDIR], [
5			AC_MSG_RESULT($iolog_dir)
6			])dnl
7
8			+dnl Detect time zone file directory, if any.
9			+dnl
10			+AC_DEFUN([SUDO_TZDIR], [AC_MSG_CHECKING(time zone data directory)
11			+tzdir="$with_tzdir"
12			+if test -z "$tzdir"; then
13			+ tzdir=no
14			+ for d in /usr/share /usr/share/lib /usr/lib /etc; do
15			+ if test -d "$d/zoneinfo"; then
16			+ tzdir="$d/zoneinfo"
17			+ break
18			+ fi
19			+ done
20			+fi
21			+AC_MSG_RESULT([$tzdir])
22			+if test "${tzdir}" != "no"; then
23			+ SUDO_DEFINE_UNQUOTED(_PATH_ZONEINFO, "$tzdir")
24			+fi
25			+])dnl
26			+
27			dnl
28			dnl check for working fnmatch(3)
29			dnl
30			diff -up sudo-1.8.6p3/configure.in.CVE-2014-9680 sudo-1.8.6p3/configure.in
31			--- sudo-1.8.6p3/configure.in.CVE-2014-9680 2015-03-31 12:55:08.375841856 +0200
32			+++ sudo-1.8.6p3/configure.in 2015-03-31 12:55:08.393841662 +0200
33			@@ -774,6 +774,12 @@ AC_ARG_WITH(iologdir, [AS_HELP_STRING([-
34			;;
35			esac])
36
37			+AC_ARG_WITH(tzdir, [AS_HELP_STRING([--with-tzdir=DIR], [path to the time zone data directory])],
38			+[case $with_tzdir in
39			+ yes) AC_MSG_ERROR(["must give --with-tzdir an argument."])
40			+ ;;
41			+esac])
42			+
43			AC_ARG_WITH(sendmail, [AS_HELP_STRING([--with-sendmail], [set path to sendmail])
44			AS_HELP_STRING([--without-sendmail], [do not send mail at all])],
45			[case $with_sendmail in
46			@@ -3240,6 +3246,7 @@ fi
47			SUDO_LOGFILE
48			SUDO_TIMEDIR
49			SUDO_IO_LOGDIR
50			+SUDO_TZDIR
51
52			dnl
53			dnl Turn warnings into errors.
54			diff -up sudo-1.8.6p3/doc/sudoers.cat.CVE-2014-9680 sudo-1.8.6p3/doc/sudoers.cat
55			--- sudo-1.8.6p3/doc/sudoers.cat.CVE-2014-9680 2015-03-31 12:55:08.365841964 +0200
56			+++ sudo-1.8.6p3/doc/sudoers.cat 2015-03-31 13:00:04.625640465 +0200
57			@@ -1421,20 +1421,36 @@ SSUUDDOOEERRSS OOPPTTIIOONN
58
59			LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
60
61			- env_check Environment variables to be removed from the user's
62			- environment if the variable's value contains `%' or `/'
63			+ env_check Environment variables to be removed from the user's
64			+ environment if unless they are considered ``safe''.
65			+ For all variables except TZ, ``safe'' means that the
66			+ variable's value does not contain any `%' or `/'
67			characters. This can be used to guard against printf-
68			style format vulnerabilities in poorly-written
69			- programs. The argument may be a double-quoted, space-
70			- separated list or a single value without double-quotes.
71			- The list can be replaced, added to, deleted from, or
72			- disabled by using the =, +=, -=, and ! operators
73			- respectively. Regardless of whether the env_reset
74			- option is enabled or disabled, variables specified by
75			- env_check will be preserved in the environment if they
76			- pass the aforementioned check. The default list of
77			- environment variables to check is displayed when ssuuddoo
78			- is run by root with the --VV option.
79			+ programs. The TZ variable is considerd unsafe if any
80			+ of the following are true:
81			+
82			+ ++oo It consists of a fully-qualified path name,
83			+ optionally prefixed with a colon (`:'), that does
84			+ not match the location of the _z_o_n_e_i_n_f_o directory.
85			+
86			+ ++oo It contains a _._. path element.
87			+
88			+ ++oo It contains white space or non-printable
89			+ characters.
90			+
91			+ ++oo It is longer than the value of PATH_MAX.
92			+
93			+ The argument may be a double-quoted, space-separated
94			+ list or a single value without double-quotes. The list
95			+ can be replaced, added to, deleted from, or disabled by
96			+ using the =, +=, -=, and ! operators respectively.
97			+ Regardless of whether the env_reset option is enabled
98			+ or disabled, variables specified by env_check will be
99			+ preserved in the environment if they pass the
100			+ aforementioned check. The default list of environment
101			+ variables to check is displayed when ssuuddoo is run by
102			+ root with the --VV option.
103
104			env_delete Environment variables to be removed from the user's
105			environment when the _e_n_v___r_e_s_e_t option is not in effect.
106			diff -up sudo-1.8.6p3/doc/sudoers.man.in.CVE-2014-9680 sudo-1.8.6p3/doc/sudoers.man.in
107			--- sudo-1.8.6p3/doc/sudoers.man.in.CVE-2014-9680 2015-03-31 12:55:08.366841953 +0200
108			+++ sudo-1.8.6p3/doc/sudoers.man.in 2015-03-31 13:01:57.539420274 +0200
109			@@ -3002,14 +3002,47 @@ The default value is
110			\fBLists that can be used in a boolean context\fR:
111			.TP 18n
112			env_check
113			-Environment variables to be removed from the user's environment if
114			-the variable's value contains
115			-`%'
116			+ Environment variables to be removed from the user's environment if
117			+unless they are considered
118			+\(lqsafe\(rq.
119			+For all variables except
120			+\fRTZ\fR,
121			+\(lqsafe\(rq
122			+means that the variable's value does not contain any
123			+\(oq%\(cq
124			or
125			-`/'
126			+\(oq/\(cq
127			characters.
128			This can be used to guard against printf-style format vulnerabilities
129			in poorly-written programs.
130			+The
131			+\fRTZ\fR
132			+variable is considerd unsafe if any of the following are true:
133			+.PP
134			+.RS 18n
135			+.PD 0
136			+.TP 4n
137			+\fB\(bu\fR
138			+It consists of a fully-qualified path name,
139			+optionally prefixed with a colon
140			+(\(oq:\&\(cq),
141			+that does not match the location of the
142			+\fIzoneinfo\fR
143			+directory.
144			+.PD
145			+.TP 4n
146			+\fB\(bu\fR
147			+It contains a
148			+\fI..\fR
149			+path element.
150			+.TP 4n
151			+\fB\(bu\fR
152			+It contains white space or non-printable characters.
153			+.TP 4n
154			+\fB\(bu\fR
155			+It is longer than the value of
156			+\fRPATH_MAX\fR.
157			+.PP
158			The argument may be a double-quoted, space-separated list or a
159			single value without double-quotes.
160			The list can be replaced, added to, deleted from, or disabled by using
161			@@ -3031,6 +3064,7 @@ is run by root with
162			the
163			\fB\-V\fR
164			option.
165			+.RE
166			.TP 18n
167			env_delete
168			Environment variables to be removed from the user's environment when the
169			diff -up sudo-1.8.6p3/doc/sudoers.mdoc.in.CVE-2014-9680 sudo-1.8.6p3/doc/sudoers.mdoc.in
170			--- sudo-1.8.6p3/doc/sudoers.mdoc.in.CVE-2014-9680 2015-03-31 12:55:08.366841953 +0200
171			+++ sudo-1.8.6p3/doc/sudoers.mdoc.in 2015-03-31 13:03:21.721510569 +0200
172			@@ -2791,13 +2791,40 @@ The default value is
173			.Bl -tag -width 16n
174			.It env_check
175			Environment variables to be removed from the user's environment if
176			-the variable's value contains
177			+unless they are considered
178			+.Dq safe .
179			+For all variables except
180			+.Li TZ ,
181			+.Dq safe
182			+means that the variable's value does not contain any
183			.Ql %
184			or
185			.Ql /
186			characters.
187			This can be used to guard against printf-style format vulnerabilities
188			in poorly-written programs.
189			+The
190			+.Li TZ
191			+variable is considerd unsafe if any of the following are true:
192			+.Bl -bullet
193			+.It
194			+It consists of a fully-qualified path name,
195			+optionally prefixed with a colon
196			+.Pq Ql :\& ,
197			+that does not match the location of the
198			+.Pa zoneinfo
199			+directory.
200			+.It
201			+It contains a
202			+.Pa ..
203			+path element.
204			+.It
205			+It contains white space or non-printable characters.
206			+.It
207			+It is longer than the value of
208			+.Li PATH_MAX .
209			+.El
210			+.Pp
211			The argument may be a double-quoted, space-separated list or a
212			single value without double-quotes.
213			The list can be replaced, added to, deleted from, or disabled by using
214			diff -up sudo-1.8.6p3/INSTALL.CVE-2014-9680 sudo-1.8.6p3/INSTALL
215			--- sudo-1.8.6p3/INSTALL.CVE-2014-9680 2012-09-18 15:57:43.000000000 +0200
216			+++ sudo-1.8.6p3/INSTALL 2015-03-31 12:55:08.394841651 +0200
217			@@ -461,6 +461,16 @@ The following options are also configura
218			Override the default location of the sudo timestamp directory and
219			use "path" instead.
220
221			+ --with-tzdir=DIR
222			+ Set the directory to the system's time zone data files. This
223			+ is only used when sanitizing the TZ environment variable to
224			+ allow for fully-qualified paths in TZ.
225			+ By default, configure will look for an existing "zoneinfo"
226			+ directory in the following locations:
227			+ /usr/share /usr/share/lib /usr/lib /etc
228			+ If no zoneinfo directory is found, the TZ variable may not
229			+ contain a fully-qualified path.
230			+
231			--with-sendmail=PATH
232			Override configure's guess as to the location of sendmail.
233
234			diff -up sudo-1.8.6p3/pathnames.h.in.CVE-2014-9680 sudo-1.8.6p3/pathnames.h.in
235			--- sudo-1.8.6p3/pathnames.h.in.CVE-2014-9680 2012-09-18 15:56:28.000000000 +0200
236			+++ sudo-1.8.6p3/pathnames.h.in 2015-03-31 12:55:08.394841651 +0200
237			@@ -168,3 +168,7 @@
238			#ifndef _PATH_NETSVC_CONF
239			#undef _PATH_NETSVC_CONF
240			#endif /* _PATH_NETSVC_CONF */
241			+
242			+#ifndef _PATH_ZONEINFO
243			+# undef _PATH_ZONEINFO
244			+#endif /* _PATH_ZONEINFO */
245			diff -up sudo-1.8.6p3/plugins/sudoers/env.c.CVE-2014-9680 sudo-1.8.6p3/plugins/sudoers/env.c
246			--- sudo-1.8.6p3/plugins/sudoers/env.c.CVE-2014-9680 2012-09-18 15:57:43.000000000 +0200
247			+++ sudo-1.8.6p3/plugins/sudoers/env.c 2015-03-31 12:55:08.394841651 +0200
248			@@ -198,6 +198,7 @@ static const char *initial_checkenv_tabl
249			"LC_*",
250			"LINGUAS",
251			"TERM",
252			+ "TZ",
253			NULL
254			};
255
256			@@ -213,7 +214,6 @@ static const char *initial_keepenv_table
257			"PATH",
258			"PS1",
259			"PS2",
260			- "TZ",
261			"XAUTHORITY",
262			"XAUTHORIZATION",
263			NULL
264			@@ -584,6 +584,54 @@ matches_env_delete(const char *var)
265			}
266
267			/*
268			+ * Sanity-check the TZ environment variable.
269			+ * On many systems it is possible to set this to a pathname.
270			+ */
271			+static bool
272			+tz_is_sane(const char *tzval)
273			+{
274			+ const char *cp;
275			+ char lastch;
276			+ debug_decl(tz_is_sane, SUDO_DEBUG_ENV)
277			+
278			+ /* tzcode treats a value beginning with a ':' as a path. */
279			+ if (tzval[0] == ':')
280			+ tzval++;
281			+
282			+ /* Reject fully-qualified TZ that doesn't being with the zoneinfo dir. */
283			+ if (tzval[0] == '/') {
284			+#ifdef _PATH_ZONEINFO
285			+ if (strncmp(tzval, _PATH_ZONEINFO, sizeof(_PATH_ZONEINFO) - 1) != 0 \|\|
286			+ tzval[sizeof(_PATH_ZONEINFO) - 1] != '/')
287			+ debug_return_bool(false);
288			+#else
289			+ /* Assume the worst. */
290			+ debug_return_bool(false);
291			+#endif
292			+ }
293			+
294			+ /*
295			+ * Make sure TZ only contains printable non-space characters
296			+ * and does not contain a '..' path element.
297			+ */
298			+ lastch = '/';
299			+ for (cp = tzval; *cp != '\0'; cp++) {
300			+ if (isspace((unsigned char)cp) \|\| !isprint((unsigned char)cp))
301			+ debug_return_bool(false);
302			+ if (lastch == '/' && cp[0] == '.' && cp[1] == '.' &&
303			+ (cp[2] == '/' \|\| cp[2] == '\0'))
304			+ debug_return_bool(false);
305			+ lastch = *cp;
306			+ }
307			+
308			+ /* Reject extra long TZ values (even if not a path). */
309			+ if ((size_t)(cp - tzval) >= PATH_MAX)
310			+ debug_return_bool(false);
311			+
312			+ debug_return_bool(true);
313			+}
314			+
315			+/*
316			* Apply the env_check list.
317			* Returns true if the variable is allowed, false if denied
318			* or -1 if no match.
319			@@ -607,8 +655,13 @@ matches_env_check(const char *var)
320			iswild = false;
321			if (strncmp(cur->value, var, len) == 0 &&
322			(iswild \|\| var[len] == '=')) {
323			+ if (strncmp(var, "TZ=", 3) == 0 ) {
324			+ /* Sperial case for TZ */
325			+ keepit = tz_is_sane(var + 3);
326			+ } else {
327			keepit = !strpbrk(var, "/%");
328			- break;
329			+ }
330			+ break;
331			}
332			}
333			debug_return_bool(keepit);