add rant about CAN-2004-1051

Package-Manager: portage-2.0.51.19

2 files changed, 24 insertions, 6 deletions

diff --git a/app-admin/sudo/Manifest b/app-admin/sudo/Manifest
index 5c815ba869f0..1e3b23429f36 100644
--- a/app-admin/sudo/Manifest
+++ b/app-admin/sudo/Manifest
@@ -1,4 +1,4 @@
-MD5 e28e77cebd8c68d5902645cca3519dfe sudo-1.6.8_p8-r2.ebuild 3245
+MD5 ecd293b9c5b9674c787c45246bb8ea82 sudo-1.6.8_p8-r2.ebuild 3926
 MD5 1830dd653b9b5b92fa5cc86823e06d65 sudo-1.6.7_p5-r2.ebuild 1438
 MD5 7d0341077ad7fca4cc4633795287789e sudo-1.6.7_p5-r4.ebuild 1500
 MD5 e078aca7b2de640fe82d71a7de00c7b0 ChangeLog 5971
diff --git a/app-admin/sudo/sudo-1.6.8_p8-r2.ebuild b/app-admin/sudo/sudo-1.6.8_p8-r2.ebuild
index 153741457ff8..675f2f6f948e 100644
--- a/app-admin/sudo/sudo-1.6.8_p8-r2.ebuild
+++ b/app-admin/sudo/sudo-1.6.8_p8-r2.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2005 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/sudo-1.6.8_p8-r2.ebuild,v 1.7 2005/06/06 11:57:24 taviso Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/sudo-1.6.8_p8-r2.ebuild,v 1.8 2005/06/06 14:12:43 taviso Exp $
 
 inherit eutils pam
 
@@ -26,8 +26,22 @@ src_unpack() {
 	use skey && epatch ${FILESDIR}/${PN}-skeychallengeargs.diff
 
 	# additional variables to disallow, should user disable env_reset.
-	# NOTE: this is not a supported mode of operation, and should be avoided.
 
+	# NOTE: this is not a supported mode of operation, these variables
+	#       are added to the blacklist as a convenience to administrators
+	#       who fail to heed the warnings of allowing untrusted users
+	#       to access sudo.
+	#
+	#       there is *no possible way* to foresee all attack vectors in
+	#       all possible applications that could potentially be used via
+	#       sudo, these settings will just delay the inevitable.
+	#
+	#       that said, I will accept suggestions for variables that can
+	#       be misused in _common_ interpreters or libraries, such as 
+	#       perl, bash, python, ruby, etc., in the hope of dissuading
+	#       a casual attacker.
+
+	einfo "blacklisting variables..."
 	sudo_bad_var SHELLOPTS            # bash, change shoptions.
 	sudo_bad_var PERLIO_DEBUG         # perl, write debug to file.
 	sudo_bad_var PERL5LIB             # perl, change search path.
@@ -39,6 +53,7 @@ src_unpack() {
 	sudo_bad_var PS3                  # sh, prompt for select.
 	sudo_bad_var GLOBIGNORE           # bash, glob paterns to ignore.
 	sudo_bad_var PERL5OPT             # perl, set options
+	einfo "...done."
 }
 
 src_compile() {
@@ -47,7 +62,7 @@ src_compile() {
 	# secure_path must be compiled into sudo, so find the current setting
 	# of ROOTPATH. This is not perfect, but until it is available as a
 	# sudoers setting this will do.
-	einfo "setting secure_path..."
+	ebegin "setting secure_path..."
 
 	# why not use grep? variable might be expanded from other variables 
 	# declared in that file, and would have to eval the result anyway.
@@ -59,6 +74,7 @@ src_compile() {
 				*) continue;;
 			esac
 		done` || ewarn "failed to find secure_path, please report this"
+	eend $?
 
 	econf --with-secure-path="/bin:/sbin:/usr/bin:/usr/sbin:${ROOTPATH:-/usr/local/bin}" --with-env-editor \
 		`use_with offensive insults` \
@@ -87,8 +103,10 @@ src_install() {
 sudo_bad_var() {
 	local target='env.c' marker='\*initial_badenv_table\[\]'
 
-	# add ${1} to initial_badenv_table[].
-	sed -i 's#\(^.*'${marker}'.*$\)#\1\n\t"'${1}'",\n#' ${S}/${target}
+	# add $1 to initial_badenv_table[].
+	ebegin "	$1"
+		sed -i 's#\(^.*'${marker}'.*$\)#\1\n\t"'${1}'",\n#' ${S}/${target}
+	eend $?
 }
 
 pkg_postinst() {