[sudo-users] security bug -- sudo undefines functions in environment
Tim Bradshaw
tfb at tfeb.org
Wed Aug 6 06:56:45 MDT 2014
On 6 Aug 2014, at 13:22, Todd C. Miller <Todd.Miller at courtesan.com> wrote:
>
> to match the function named foo with any contents. If no '=' is
> found in the env_keep/env_delete string only the name would be
> matched which preserves the old behavior.
Although its pathological (and I suspect may not be compliant with whatever) at least some platforms allow '=' in environment variable names. I am not sure if this matters.
More information about the sudo-users
mailing list