[sudo-users] security bug -- sudo undefines functions in environment

Tim Bradshaw tfb at tfeb.org
Wed Aug 6 06:56:45 MDT 2014

On 6 Aug 2014, at 13:22, Todd C. Miller <Todd.Miller at courtesan.com> wrote:

> to match the function named foo with any contents.  If no '=' is
> found in the env_keep/env_delete string only the name would be
> matched which preserves the old behavior.

Although its pathological (and I suspect may not be compliant with whatever) at least some platforms allow '=' in environment variable names.  I am not sure if this matters.

More information about the sudo-users mailing list