sudo/sme9/sudo-1.8.6p3-CVE-2014-9680.patch

diff -up sudo-1.8.6p3/aclocal.m4.CVE-2014-9680 sudo-1.8.6p3/aclocal.m4
--- sudo-1.8.6p3/aclocal.m4.CVE-2014-9680       2012-09-18 15:56:28.000000000 +0200
+++ sudo-1.8.6p3/aclocal.m4     2015-03-31 12:55:08.392841672 +0200
@@ -156,6 +156,25 @@ AC_DEFUN([SUDO_IO_LOGDIR], [
     AC_MSG_RESULT($iolog_dir)
 ])dnl
 
+dnl Detect time zone file directory, if any.
+dnl
+AC_DEFUN([SUDO_TZDIR], [AC_MSG_CHECKING(time zone data directory)
+tzdir="$with_tzdir"
+if test -z "$tzdir"; then
+    tzdir=no
+    for d in /usr/share /usr/share/lib /usr/lib /etc; do
+       if test -d "$d/zoneinfo"; then
+           tzdir="$d/zoneinfo"
+           break
+       fi
+    done
+fi
+AC_MSG_RESULT([$tzdir])
+if test "${tzdir}" != "no"; then
+    SUDO_DEFINE_UNQUOTED(_PATH_ZONEINFO, "$tzdir")
+fi
+])dnl
+
 dnl
 dnl check for working fnmatch(3)
 dnl
diff -up sudo-1.8.6p3/configure.in.CVE-2014-9680 sudo-1.8.6p3/configure.in
--- sudo-1.8.6p3/configure.in.CVE-2014-9680     2015-03-31 12:55:08.375841856 +0200
+++ sudo-1.8.6p3/configure.in   2015-03-31 12:55:08.393841662 +0200
@@ -774,6 +774,12 @@ AC_ARG_WITH(iologdir, [AS_HELP_STRING([-
            ;;
 esac])
 
+AC_ARG_WITH(tzdir, [AS_HELP_STRING([--with-tzdir=DIR], [path to the time zone data directory])],
+[case $with_tzdir in
+    yes)       AC_MSG_ERROR(["must give --with-tzdir an argument."])
+               ;;
+esac])
+
 AC_ARG_WITH(sendmail, [AS_HELP_STRING([--with-sendmail], [set path to sendmail])
 AS_HELP_STRING([--without-sendmail], [do not send mail at all])],
 [case $with_sendmail in
@@ -3240,6 +3246,7 @@ fi
 SUDO_LOGFILE
 SUDO_TIMEDIR
 SUDO_IO_LOGDIR
+SUDO_TZDIR
 
 dnl
 dnl Turn warnings into errors.
diff -up sudo-1.8.6p3/doc/sudoers.cat.CVE-2014-9680 sudo-1.8.6p3/doc/sudoers.cat
--- sudo-1.8.6p3/doc/sudoers.cat.CVE-2014-9680  2015-03-31 12:55:08.365841964 +0200
+++ sudo-1.8.6p3/doc/sudoers.cat        2015-03-31 13:00:04.625640465 +0200
@@ -1421,20 +1421,36 @@ SSUUDDOOEERRSS OOPPTTIIOONN
 
      LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
 
-     env_check         Environment variables to be removed from the user's
-                       environment if the variable's value contains `%' or `/'
+      env_check        Environment variables to be removed from the user's
+                       environment if unless they are considered ``safe''.
+                       For all variables except TZ, ``safe'' means that the
+                       variable's value does not contain any `%' or `/'
                        characters.  This can be used to guard against printf-
                        style format vulnerabilities in poorly-written
-                       programs.  The argument may be a double-quoted, space-
-                       separated list or a single value without double-quotes.
-                       The list can be replaced, added to, deleted from, or
-                       disabled by using the =, +=, -=, and ! operators
-                       respectively.  Regardless of whether the env_reset
-                       option is enabled or disabled, variables specified by
-                       env_check will be preserved in the environment if they
-                       pass the aforementioned check.  The default list of
-                       environment variables to check is displayed when ssuuddoo
-                       is run by root with the --VV option.
+                       programs.  The TZ variable is considerd unsafe if any
+                       of the following are true:
+
+                       ++oo   It consists of a fully-qualified path name,
+                           optionally prefixed with a colon (`:'), that does
+                           not match the location of the _z_o_n_e_i_n_f_o directory.
+
+                       ++oo   It contains a _._. path element.
+
+                       ++oo   It contains white space or non-printable
+                           characters.
+
+                       ++oo   It is longer than the value of PATH_MAX.
+
+                       The argument may be a double-quoted, space-separated
+                       list or a single value without double-quotes.  The list
+                       can be replaced, added to, deleted from, or disabled by
+                       using the =, +=, -=, and ! operators respectively.
+                       Regardless of whether the env_reset option is enabled
+                       or disabled, variables specified by env_check will be
+                       preserved in the environment if they pass the
+                       aforementioned check.  The default list of environment
+                       variables to check is displayed when ssuuddoo is run by
+                       root with the --VV option.
 
      env_delete        Environment variables to be removed from the user's
                        environment when the _e_n_v___r_e_s_e_t option is not in effect.
diff -up sudo-1.8.6p3/doc/sudoers.man.in.CVE-2014-9680 sudo-1.8.6p3/doc/sudoers.man.in
--- sudo-1.8.6p3/doc/sudoers.man.in.CVE-2014-9680       2015-03-31 12:55:08.366841953 +0200
+++ sudo-1.8.6p3/doc/sudoers.man.in     2015-03-31 13:01:57.539420274 +0200
@@ -3002,14 +3002,47 @@ The default value is
 \fBLists that can be used in a boolean context\fR:
 .TP 18n
 env_check
-Environment variables to be removed from the user's environment if
-the variable's value contains
-`%'
+ Environment variables to be removed from the user's environment if
+unless they are considered
+\(lqsafe\(rq.
+For all variables except
+\fRTZ\fR,
+\(lqsafe\(rq
+means that the variable's value does not contain any
+\(oq%\(cq
 or
-`/'
+\(oq/\(cq
 characters.
 This can be used to guard against printf-style format vulnerabilities
 in poorly-written programs.
+The
+\fRTZ\fR
+variable is considerd unsafe if any of the following are true:
+.PP
+.RS 18n
+.PD 0
+.TP 4n
+\fB\(bu\fR
+It consists of a fully-qualified path name,
+optionally prefixed with a colon
+(\(oq:\&\(cq),
+that does not match the location of the
+\fIzoneinfo\fR
+directory.
+.PD
+.TP 4n
+\fB\(bu\fR
+It contains a
+\fI..\fR
+path element.
+.TP 4n
+\fB\(bu\fR
+It contains white space or non-printable characters.
+.TP 4n
+\fB\(bu\fR
+It is longer than the value of
+\fRPATH_MAX\fR.
+.PP
 The argument may be a double-quoted, space-separated list or a
 single value without double-quotes.
 The list can be replaced, added to, deleted from, or disabled by using
@@ -3031,6 +3064,7 @@ is run by root with
 the
 \fB\-V\fR
 option.
+.RE
 .TP 18n
 env_delete
 Environment variables to be removed from the user's environment when the
diff -up sudo-1.8.6p3/doc/sudoers.mdoc.in.CVE-2014-9680 sudo-1.8.6p3/doc/sudoers.mdoc.in
--- sudo-1.8.6p3/doc/sudoers.mdoc.in.CVE-2014-9680      2015-03-31 12:55:08.366841953 +0200
+++ sudo-1.8.6p3/doc/sudoers.mdoc.in    2015-03-31 13:03:21.721510569 +0200
@@ -2791,13 +2791,40 @@ The default value is
 .Bl -tag -width 16n
 .It env_check
 Environment variables to be removed from the user's environment if
-the variable's value contains
+unless they are considered
+.Dq safe .
+For all variables except
+.Li TZ ,
+.Dq safe
+means that the variable's value does not contain any
 .Ql %
 or
 .Ql /
 characters.
 This can be used to guard against printf-style format vulnerabilities
 in poorly-written programs.
+The
+.Li TZ 
+variable is considerd unsafe if any of the following are true:
+.Bl -bullet
+.It
+It consists of a fully-qualified path name,
+optionally prefixed with a colon
+.Pq Ql :\& ,
+that does not match the location of the
+.Pa zoneinfo
+directory.
+.It
+It contains a
+.Pa ..
+path element.
+.It
+It contains white space or non-printable characters.
+.It
+It is longer than the value of
+.Li PATH_MAX .
+.El
+.Pp
 The argument may be a double-quoted, space-separated list or a
 single value without double-quotes.
 The list can be replaced, added to, deleted from, or disabled by using
diff -up sudo-1.8.6p3/INSTALL.CVE-2014-9680 sudo-1.8.6p3/INSTALL
--- sudo-1.8.6p3/INSTALL.CVE-2014-9680  2012-09-18 15:57:43.000000000 +0200
+++ sudo-1.8.6p3/INSTALL        2015-03-31 12:55:08.394841651 +0200
@@ -461,6 +461,16 @@ The following options are also configura
        Override the default location of the sudo timestamp directory and
        use "path" instead.
 
+  --with-tzdir=DIR
+        Set the directory to the system's time zone data files.  This 
+       is only used when sanitizing the TZ environment variable to
+       allow for fully-qualified paths in TZ.
+        By default, configure will look for an existing "zoneinfo"
+       directory in the following locations:
+           /usr/share /usr/share/lib /usr/lib /etc
+       If no zoneinfo directory is found, the TZ variable may not
+       contain a fully-qualified path.
+
   --with-sendmail=PATH
        Override configure's guess as to the location of sendmail.
 
diff -up sudo-1.8.6p3/pathnames.h.in.CVE-2014-9680 sudo-1.8.6p3/pathnames.h.in
--- sudo-1.8.6p3/pathnames.h.in.CVE-2014-9680   2012-09-18 15:56:28.000000000 +0200
+++ sudo-1.8.6p3/pathnames.h.in 2015-03-31 12:55:08.394841651 +0200
@@ -168,3 +168,7 @@
 #ifndef _PATH_NETSVC_CONF
 #undef _PATH_NETSVC_CONF
 #endif /* _PATH_NETSVC_CONF */
+
+#ifndef _PATH_ZONEINFO
+# undef        _PATH_ZONEINFO
+#endif /* _PATH_ZONEINFO */
diff -up sudo-1.8.6p3/plugins/sudoers/env.c.CVE-2014-9680 sudo-1.8.6p3/plugins/sudoers/env.c
--- sudo-1.8.6p3/plugins/sudoers/env.c.CVE-2014-9680    2012-09-18 15:57:43.000000000 +0200
+++ sudo-1.8.6p3/plugins/sudoers/env.c  2015-03-31 12:55:08.394841651 +0200
@@ -198,6 +198,7 @@ static const char *initial_checkenv_tabl
     "LC_*",
     "LINGUAS",
     "TERM",
+    "TZ",
     NULL
 };
 
@@ -213,7 +214,6 @@ static const char *initial_keepenv_table
     "PATH",
     "PS1",
     "PS2",
-    "TZ",
     "XAUTHORITY",
     "XAUTHORIZATION",
     NULL
@@ -584,6 +584,54 @@ matches_env_delete(const char *var)
 }
 
 /*
+ * Sanity-check the TZ environment variable.
+ * On many systems it is possible to set this to a pathname.
+ */
+static bool
+tz_is_sane(const char *tzval)
+{
+    const char *cp;
+    char lastch;
+    debug_decl(tz_is_sane, SUDO_DEBUG_ENV)
+
+    /* tzcode treats a value beginning with a ':' as a path. */
+    if (tzval[0] == ':')
+       tzval++;
+
+    /* Reject fully-qualified TZ that doesn't being with the zoneinfo dir. */
+    if (tzval[0] == '/') {
+#ifdef _PATH_ZONEINFO
+       if (strncmp(tzval, _PATH_ZONEINFO, sizeof(_PATH_ZONEINFO) - 1) != 0 ||
+           tzval[sizeof(_PATH_ZONEINFO) - 1] != '/')
+           debug_return_bool(false);
+#else
+       /* Assume the worst. */
+       debug_return_bool(false);
+#endif
+    }
+
+    /*
+     * Make sure TZ only contains printable non-space characters
+     * and does not contain a '..' path element.
+     */
+    lastch = '/';
+    for (cp = tzval; *cp != '\0'; cp++) {
+       if (isspace((unsigned char)*cp) || !isprint((unsigned char)*cp))
+           debug_return_bool(false);
+       if (lastch == '/' && cp[0] == '.' && cp[1] == '.' &&
+           (cp[2] == '/' || cp[2] == '\0'))
+           debug_return_bool(false);
+       lastch = *cp;
+    }
+
+    /* Reject extra long TZ values (even if not a path). */
+    if ((size_t)(cp - tzval) >= PATH_MAX)
+       debug_return_bool(false);
+
+    debug_return_bool(true);
+}
+
+/*
  * Apply the env_check list.
  * Returns true if the variable is allowed, false if denied
  * or -1 if no match.
@@ -607,8 +655,13 @@ matches_env_check(const char *var)
            iswild = false;
        if (strncmp(cur->value, var, len) == 0 &&
            (iswild || var[len] == '=')) {
+         if (strncmp(var, "TZ=", 3) == 0 ) {
+           /* Sperial case for TZ */
+           keepit = tz_is_sane(var + 3);
+         } else {
            keepit = !strpbrk(var, "/%");
-           break;
+         }
+         break;
        }
     }
     debug_return_bool(keepit);
1	diff -up sudo-1.8.6p3/aclocal.m4.CVE-2014-9680 sudo-1.8.6p3/aclocal.m4
2	--- sudo-1.8.6p3/aclocal.m4.CVE-2014-9680 2012-09-18 15:56:28.000000000 +0200
3	+++ sudo-1.8.6p3/aclocal.m4 2015-03-31 12:55:08.392841672 +0200
4	@@ -156,6 +156,25 @@ AC_DEFUN([SUDO_IO_LOGDIR], [
5	AC_MSG_RESULT($iolog_dir)
6	])dnl
7
8	+dnl Detect time zone file directory, if any.
9	+dnl
10	+AC_DEFUN([SUDO_TZDIR], [AC_MSG_CHECKING(time zone data directory)
11	+tzdir="$with_tzdir"
12	+if test -z "$tzdir"; then
13	+ tzdir=no
14	+ for d in /usr/share /usr/share/lib /usr/lib /etc; do
15	+ if test -d "$d/zoneinfo"; then
16	+ tzdir="$d/zoneinfo"
17	+ break
18	+ fi
19	+ done
20	+fi
21	+AC_MSG_RESULT([$tzdir])
22	+if test "${tzdir}" != "no"; then
23	+ SUDO_DEFINE_UNQUOTED(_PATH_ZONEINFO, "$tzdir")
24	+fi
25	+])dnl
26	+
27	dnl
28	dnl check for working fnmatch(3)
29	dnl
30	diff -up sudo-1.8.6p3/configure.in.CVE-2014-9680 sudo-1.8.6p3/configure.in
31	--- sudo-1.8.6p3/configure.in.CVE-2014-9680 2015-03-31 12:55:08.375841856 +0200
32	+++ sudo-1.8.6p3/configure.in 2015-03-31 12:55:08.393841662 +0200
33	@@ -774,6 +774,12 @@ AC_ARG_WITH(iologdir, [AS_HELP_STRING([-
34	;;
35	esac])
36
37	+AC_ARG_WITH(tzdir, [AS_HELP_STRING([--with-tzdir=DIR], [path to the time zone data directory])],
38	+[case $with_tzdir in
39	+ yes) AC_MSG_ERROR(["must give --with-tzdir an argument."])
40	+ ;;
41	+esac])
42	+
43	AC_ARG_WITH(sendmail, [AS_HELP_STRING([--with-sendmail], [set path to sendmail])
44	AS_HELP_STRING([--without-sendmail], [do not send mail at all])],
45	[case $with_sendmail in
46	@@ -3240,6 +3246,7 @@ fi
47	SUDO_LOGFILE
48	SUDO_TIMEDIR
49	SUDO_IO_LOGDIR
50	+SUDO_TZDIR
51
52	dnl
53	dnl Turn warnings into errors.
54	diff -up sudo-1.8.6p3/doc/sudoers.cat.CVE-2014-9680 sudo-1.8.6p3/doc/sudoers.cat
55	--- sudo-1.8.6p3/doc/sudoers.cat.CVE-2014-9680 2015-03-31 12:55:08.365841964 +0200
56	+++ sudo-1.8.6p3/doc/sudoers.cat 2015-03-31 13:00:04.625640465 +0200
57	@@ -1421,20 +1421,36 @@ SSUUDDOOEERRSS OOPPTTIIOONN
58
59	LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
60
61	- env_check Environment variables to be removed from the user's
62	- environment if the variable's value contains `%' or `/'
63	+ env_check Environment variables to be removed from the user's
64	+ environment if unless they are considered ``safe''.
65	+ For all variables except TZ, ``safe'' means that the
66	+ variable's value does not contain any `%' or `/'
67	characters. This can be used to guard against printf-
68	style format vulnerabilities in poorly-written
69	- programs. The argument may be a double-quoted, space-
70	- separated list or a single value without double-quotes.
71	- The list can be replaced, added to, deleted from, or
72	- disabled by using the =, +=, -=, and ! operators
73	- respectively. Regardless of whether the env_reset
74	- option is enabled or disabled, variables specified by
75	- env_check will be preserved in the environment if they
76	- pass the aforementioned check. The default list of
77	- environment variables to check is displayed when ssuuddoo
78	- is run by root with the --VV option.
79	+ programs. The TZ variable is considerd unsafe if any
80	+ of the following are true:
81	+
82	+ ++oo It consists of a fully-qualified path name,
83	+ optionally prefixed with a colon (`:'), that does
84	+ not match the location of the _z_o_n_e_i_n_f_o directory.
85	+
86	+ ++oo It contains a _._. path element.
87	+
88	+ ++oo It contains white space or non-printable
89	+ characters.
90	+
91	+ ++oo It is longer than the value of PATH_MAX.
92	+
93	+ The argument may be a double-quoted, space-separated
94	+ list or a single value without double-quotes. The list
95	+ can be replaced, added to, deleted from, or disabled by
96	+ using the =, +=, -=, and ! operators respectively.
97	+ Regardless of whether the env_reset option is enabled
98	+ or disabled, variables specified by env_check will be
99	+ preserved in the environment if they pass the
100	+ aforementioned check. The default list of environment
101	+ variables to check is displayed when ssuuddoo is run by
102	+ root with the --VV option.
103
104	env_delete Environment variables to be removed from the user's
105	environment when the _e_n_v___r_e_s_e_t option is not in effect.
106	diff -up sudo-1.8.6p3/doc/sudoers.man.in.CVE-2014-9680 sudo-1.8.6p3/doc/sudoers.man.in
107	--- sudo-1.8.6p3/doc/sudoers.man.in.CVE-2014-9680 2015-03-31 12:55:08.366841953 +0200
108	+++ sudo-1.8.6p3/doc/sudoers.man.in 2015-03-31 13:01:57.539420274 +0200
109	@@ -3002,14 +3002,47 @@ The default value is
110	\fBLists that can be used in a boolean context\fR:
111	.TP 18n
112	env_check
113	-Environment variables to be removed from the user's environment if
114	-the variable's value contains
115	-`%'
116	+ Environment variables to be removed from the user's environment if
117	+unless they are considered
118	+\(lqsafe\(rq.
119	+For all variables except
120	+\fRTZ\fR,
121	+\(lqsafe\(rq
122	+means that the variable's value does not contain any
123	+\(oq%\(cq
124	or
125	-`/'
126	+\(oq/\(cq
127	characters.
128	This can be used to guard against printf-style format vulnerabilities
129	in poorly-written programs.
130	+The
131	+\fRTZ\fR
132	+variable is considerd unsafe if any of the following are true:
133	+.PP
134	+.RS 18n
135	+.PD 0
136	+.TP 4n
137	+\fB\(bu\fR
138	+It consists of a fully-qualified path name,
139	+optionally prefixed with a colon
140	+(\(oq:\&\(cq),
141	+that does not match the location of the
142	+\fIzoneinfo\fR
143	+directory.
144	+.PD
145	+.TP 4n
146	+\fB\(bu\fR
147	+It contains a
148	+\fI..\fR
149	+path element.
150	+.TP 4n
151	+\fB\(bu\fR
152	+It contains white space or non-printable characters.
153	+.TP 4n
154	+\fB\(bu\fR
155	+It is longer than the value of
156	+\fRPATH_MAX\fR.
157	+.PP
158	The argument may be a double-quoted, space-separated list or a
159	single value without double-quotes.
160	The list can be replaced, added to, deleted from, or disabled by using
161	@@ -3031,6 +3064,7 @@ is run by root with
162	the
163	\fB\-V\fR
164	option.
165	+.RE
166	.TP 18n
167	env_delete
168	Environment variables to be removed from the user's environment when the
169	diff -up sudo-1.8.6p3/doc/sudoers.mdoc.in.CVE-2014-9680 sudo-1.8.6p3/doc/sudoers.mdoc.in
170	--- sudo-1.8.6p3/doc/sudoers.mdoc.in.CVE-2014-9680 2015-03-31 12:55:08.366841953 +0200
171	+++ sudo-1.8.6p3/doc/sudoers.mdoc.in 2015-03-31 13:03:21.721510569 +0200
172	@@ -2791,13 +2791,40 @@ The default value is
173	.Bl -tag -width 16n
174	.It env_check
175	Environment variables to be removed from the user's environment if
176	-the variable's value contains
177	+unless they are considered
178	+.Dq safe .
179	+For all variables except
180	+.Li TZ ,
181	+.Dq safe
182	+means that the variable's value does not contain any
183	.Ql %
184	or
185	.Ql /
186	characters.
187	This can be used to guard against printf-style format vulnerabilities
188	in poorly-written programs.
189	+The
190	+.Li TZ
191	+variable is considerd unsafe if any of the following are true:
192	+.Bl -bullet
193	+.It
194	+It consists of a fully-qualified path name,
195	+optionally prefixed with a colon
196	+.Pq Ql :\& ,
197	+that does not match the location of the
198	+.Pa zoneinfo
199	+directory.
200	+.It
201	+It contains a
202	+.Pa ..
203	+path element.
204	+.It
205	+It contains white space or non-printable characters.
206	+.It
207	+It is longer than the value of
208	+.Li PATH_MAX .
209	+.El
210	+.Pp
211	The argument may be a double-quoted, space-separated list or a
212	single value without double-quotes.
213	The list can be replaced, added to, deleted from, or disabled by using
214	diff -up sudo-1.8.6p3/INSTALL.CVE-2014-9680 sudo-1.8.6p3/INSTALL
215	--- sudo-1.8.6p3/INSTALL.CVE-2014-9680 2012-09-18 15:57:43.000000000 +0200
216	+++ sudo-1.8.6p3/INSTALL 2015-03-31 12:55:08.394841651 +0200
217	@@ -461,6 +461,16 @@ The following options are also configura
218	Override the default location of the sudo timestamp directory and
219	use "path" instead.
220
221	+ --with-tzdir=DIR
222	+ Set the directory to the system's time zone data files. This
223	+ is only used when sanitizing the TZ environment variable to
224	+ allow for fully-qualified paths in TZ.
225	+ By default, configure will look for an existing "zoneinfo"
226	+ directory in the following locations:
227	+ /usr/share /usr/share/lib /usr/lib /etc
228	+ If no zoneinfo directory is found, the TZ variable may not
229	+ contain a fully-qualified path.
230	+
231	--with-sendmail=PATH
232	Override configure's guess as to the location of sendmail.
233
234	diff -up sudo-1.8.6p3/pathnames.h.in.CVE-2014-9680 sudo-1.8.6p3/pathnames.h.in
235	--- sudo-1.8.6p3/pathnames.h.in.CVE-2014-9680 2012-09-18 15:56:28.000000000 +0200
236	+++ sudo-1.8.6p3/pathnames.h.in 2015-03-31 12:55:08.394841651 +0200
237	@@ -168,3 +168,7 @@
238	#ifndef _PATH_NETSVC_CONF
239	#undef _PATH_NETSVC_CONF
240	#endif /* _PATH_NETSVC_CONF */
241	+
242	+#ifndef _PATH_ZONEINFO
243	+# undef _PATH_ZONEINFO
244	+#endif /* _PATH_ZONEINFO */
245	diff -up sudo-1.8.6p3/plugins/sudoers/env.c.CVE-2014-9680 sudo-1.8.6p3/plugins/sudoers/env.c
246	--- sudo-1.8.6p3/plugins/sudoers/env.c.CVE-2014-9680 2012-09-18 15:57:43.000000000 +0200
247	+++ sudo-1.8.6p3/plugins/sudoers/env.c 2015-03-31 12:55:08.394841651 +0200
248	@@ -198,6 +198,7 @@ static const char *initial_checkenv_tabl
249	"LC_*",
250	"LINGUAS",
251	"TERM",
252	+ "TZ",
253	NULL
254	};
255
256	@@ -213,7 +214,6 @@ static const char *initial_keepenv_table
257	"PATH",
258	"PS1",
259	"PS2",
260	- "TZ",
261	"XAUTHORITY",
262	"XAUTHORIZATION",
263	NULL
264	@@ -584,6 +584,54 @@ matches_env_delete(const char *var)
265	}
266
267	/*
268	+ * Sanity-check the TZ environment variable.
269	+ * On many systems it is possible to set this to a pathname.
270	+ */
271	+static bool
272	+tz_is_sane(const char *tzval)
273	+{
274	+ const char *cp;
275	+ char lastch;
276	+ debug_decl(tz_is_sane, SUDO_DEBUG_ENV)
277	+
278	+ /* tzcode treats a value beginning with a ':' as a path. */
279	+ if (tzval[0] == ':')
280	+ tzval++;
281	+
282	+ /* Reject fully-qualified TZ that doesn't being with the zoneinfo dir. */
283	+ if (tzval[0] == '/') {
284	+#ifdef _PATH_ZONEINFO
285	+ if (strncmp(tzval, _PATH_ZONEINFO, sizeof(_PATH_ZONEINFO) - 1) != 0 \|\|
286	+ tzval[sizeof(_PATH_ZONEINFO) - 1] != '/')
287	+ debug_return_bool(false);
288	+#else
289	+ /* Assume the worst. */
290	+ debug_return_bool(false);
291	+#endif
292	+ }
293	+
294	+ /*
295	+ * Make sure TZ only contains printable non-space characters
296	+ * and does not contain a '..' path element.
297	+ */
298	+ lastch = '/';
299	+ for (cp = tzval; *cp != '\0'; cp++) {
300	+ if (isspace((unsigned char)cp) \|\| !isprint((unsigned char)cp))
301	+ debug_return_bool(false);
302	+ if (lastch == '/' && cp[0] == '.' && cp[1] == '.' &&
303	+ (cp[2] == '/' \|\| cp[2] == '\0'))
304	+ debug_return_bool(false);
305	+ lastch = *cp;
306	+ }
307	+
308	+ /* Reject extra long TZ values (even if not a path). */
309	+ if ((size_t)(cp - tzval) >= PATH_MAX)
310	+ debug_return_bool(false);
311	+
312	+ debug_return_bool(true);
313	+}
314	+
315	+/*
316	* Apply the env_check list.
317	* Returns true if the variable is allowed, false if denied
318	* or -1 if no match.
319	@@ -607,8 +655,13 @@ matches_env_check(const char *var)
320	iswild = false;
321	if (strncmp(cur->value, var, len) == 0 &&
322	(iswild \|\| var[len] == '=')) {
323	+ if (strncmp(var, "TZ=", 3) == 0 ) {
324	+ /* Sperial case for TZ */
325	+ keepit = tz_is_sane(var + 3);
326	+ } else {
327	keepit = !strpbrk(var, "/%");
328	- break;
329	+ }
330	+ break;
331	}
332	}
333	debug_return_bool(keepit);