From 79657697514bb6c99ca7d4c2c3ecb4f8f59b7545 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Thu, 24 Apr 2014 16:29:49 +0000 Subject: Fix logic inversion when checking environment variables on the command line against the blacklist. This is only a problem when env_reset is disabled. CVE 2014-0106 --- usr.bin/sudo/env.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'usr.bin') diff --git a/usr.bin/sudo/env.c b/usr.bin/sudo/env.c index 3dc11836ecc..ef2785d95bf 100644 --- a/usr.bin/sudo/env.c +++ b/usr.bin/sudo/env.c @@ -832,7 +832,7 @@ validate_env_vars(env_vars) okvar = matches_env_keep(var->value); } else { okvar = matches_env_delete(var->value) == FALSE; - if (okvar == FALSE) + if (okvar == TRUE) okvar = matches_env_check(var->value) != FALSE; } if (okvar == FALSE) { -- cgit v1.2.3