Make an empty group or netgroup a syntax error.

diff --git a/plugins/sudoers/toke.c b/plugins/sudoers/toke.c
index 4f90111ec13b5555a55870401471d9c07f66e034..535c264c53d15684ed1776fbc27be116942ecae1 100644 (file)
--- a/plugins/sudoers/toke.c
+++ b/plugins/sudoers/toke.c
@@ -289,75 +289,75 @@ static void yy_fatal_error YY_PROTO(( yyconst char msg[] ));
        *yy_cp = '\0'; \
        yy_c_buf_p = yy_cp;
 
-#define YY_NUM_RULES 55
-#define YY_END_OF_BUFFER 56
+#define YY_NUM_RULES 56
+#define YY_END_OF_BUFFER 57
 static yyconst short int yy_accept[599] =
     {   0,
         0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
-        0,    0,   56,   43,   51,   50,   49,   42,   54,   43,
-       44,   45,   43,   46,   43,   43,   43,   43,   48,   47,
-       54,   38,   38,   38,   38,   38,   38,   38,   54,   43,
-       43,   51,   54,   38,   38,   38,   38,   38,    2,   54,
-        1,   43,   43,   17,   16,   17,   16,   16,   54,   54,
-       54,    3,    9,    8,    9,    4,    9,    5,   54,   13,
-       13,   13,   11,   12,   43,    0,   51,   49,    0,   53,
-        0,   43,   33,    0,    0,    0,   32,    0,   41,   41,
-        0,   43,   43,    0,   43,   43,   43,   43,    0,   36,
-
-       38,   38,   38,   38,   38,   38,   38,   43,   52,   43,
-       51,    0,    0,    0,    0,    0,    0,   43,   43,   43,
-       43,   43,    2,    1,    0,    1,   39,   39,    0,   43,
+        0,    0,   57,   44,   52,   51,   50,   43,   55,   32,
+       45,   46,   32,   47,   44,   44,   44,   44,   49,   48,
+       55,   39,   39,   39,   39,   39,   39,   39,   55,   44,
+       44,   52,   55,   39,   39,   39,   39,   39,    2,   55,
+        1,   44,   44,   17,   16,   17,   16,   16,   55,   55,
+       55,    3,    9,    8,    9,    4,    9,    5,   55,   13,
+       13,   13,   11,   12,   44,    0,   52,   50,    0,   54,
+        0,   44,   34,    0,   32,    0,   33,    0,   42,   42,
+        0,   44,   44,    0,   44,   44,   44,   44,    0,   37,
+
+       39,   39,   39,   39,   39,   39,   39,   44,   53,   44,
+       52,    0,    0,    0,    0,    0,    0,   44,   44,   44,
+       44,   44,    2,    1,    0,    1,   40,   40,    0,   44,
        17,   17,   15,   14,   15,    0,    0,    3,    9,    0,
         6,    7,    9,    9,   13,    0,   13,   13,    0,   10,
-        0,    0,    0,   33,   33,    0,    0,   43,   43,   43,
-       43,   43,    0,    0,   36,   36,   38,   38,   38,   38,
-       38,   38,   38,   38,   38,   43,    0,    0,    0,    0,
-        0,    0,   43,   43,   43,   43,   43,    0,   43,   10,
-        0,   43,   43,   43,   43,   43,   43,    0,   37,   37,
-
-       37,    0,    0,   36,   36,   36,   36,   36,   36,   36,
-       38,   38,   38,   38,   38,   38,   38,   38,   38,   43,
-        0,    0,    0,    0,    0,    0,   43,   43,   43,   43,
-       43,   43,   43,    0,    0,   37,   37,   37,    0,   36,
-       36,    0,   36,   36,   36,   36,   36,   36,   36,   36,
-       36,   36,   36,    0,   25,   38,   38,   38,   38,   38,
-       38,   38,   38,   43,    0,    0,    0,    0,   43,   43,
-       43,   43,   43,   43,   43,   43,    0,   37,    0,   36,
-       36,   36,    0,    0,    0,   36,   36,   36,   36,   36,
-       36,   36,   36,   36,   36,   36,   36,   36,   38,   38,
-
-       38,   38,   38,   38,   38,   38,   43,    0,    0,    0,
-       43,   43,   43,   34,   34,   34,    0,    0,   36,   36,
-       36,   36,   36,   36,   36,    0,    0,    0,    0,    0,
-       36,   36,   36,   36,   36,   36,   36,   36,   36,   36,
-       36,   36,   36,   36,   38,   38,    0,   24,   38,   38,
-       38,   38,    0,   23,    0,   26,   43,    0,    0,    0,
-       43,   43,   43,   43,   34,   34,   34,   34,    0,   36,
-        0,   36,   36,   36,   36,   36,   36,   36,   36,   36,
-       36,   36,    0,    0,    0,   36,   36,   36,   36,   36,
-       36,   36,   36,   36,   36,   36,   36,   36,   38,   38,
-
-       38,   38,   38,   38,   40,    0,    0,    0,   43,   20,
-       39,   43,   35,   35,   35,   36,    0,    0,    0,   36,
-       36,   36,   36,   36,   36,   36,   36,   36,   36,   36,
-       36,   36,    0,    0,    0,    0,    0,   36,   36,   36,
-       36,   36,   36,   36,   36,   38,   38,   38,   38,    0,
-       22,    0,   27,    0,   20,    0,    0,   43,    0,   43,
-       43,   43,   35,   35,   35,   35,   35,    0,    0,    0,
-        0,    0,   36,   36,   36,   36,   36,   36,   36,   36,
-       36,   36,   36,   36,   36,   36,   36,   36,   36,   36,
-       36,   36,    0,   30,   38,   38,   38,    0,    0,    0,
-
-       21,   20,    0,    0,    0,    0,    0,   20,    0,   43,
-       43,   43,   35,   35,    0,    0,    0,   36,   36,   36,
-       36,   36,   36,   36,   36,   36,   36,   36,   36,   36,
-       36,   36,   36,   36,   36,    0,   28,   38,   38,   21,
-        0,   18,    0,    0,   20,   43,   43,   43,   43,   43,
-        0,    0,    0,    0,    0,   36,   36,   36,   36,   36,
-       36,   36,   36,    0,   31,   38,    0,   43,   43,   43,
-       36,   36,   36,   36,   36,   36,    0,   29,    0,   43,
-       43,   43,   43,   43,   36,   36,   36,   36,   36,    0,
-       19,   34,   34,   34,   34,   34,   34,    0
+        0,    0,    0,   34,   34,    0,    0,   44,   44,   44,
+       44,   44,    0,    0,   37,   37,   39,   39,   39,   39,
+       39,   39,   39,   39,   39,   44,    0,    0,    0,    0,
+        0,    0,   44,   44,   44,   44,   44,    0,   44,   10,
+        0,   44,   44,   44,   44,   44,   44,    0,   38,   38,
+
+       38,    0,    0,   37,   37,   37,   37,   37,   37,   37,
+       39,   39,   39,   39,   39,   39,   39,   39,   39,   44,
+        0,    0,    0,    0,    0,    0,   44,   44,   44,   44,
+       44,   44,   44,    0,    0,   38,   38,   38,    0,   37,
+       37,    0,   37,   37,   37,   37,   37,   37,   37,   37,
+       37,   37,   37,    0,   25,   39,   39,   39,   39,   39,
+       39,   39,   39,   44,    0,    0,    0,    0,   44,   44,
+       44,   44,   44,   44,   44,   44,    0,   38,    0,   37,
+       37,   37,    0,    0,    0,   37,   37,   37,   37,   37,
+       37,   37,   37,   37,   37,   37,   37,   37,   39,   39,
+
+       39,   39,   39,   39,   39,   39,   44,    0,    0,    0,
+       44,   44,   44,   35,   35,   35,    0,    0,   37,   37,
+       37,   37,   37,   37,   37,    0,    0,    0,    0,    0,
+       37,   37,   37,   37,   37,   37,   37,   37,   37,   37,
+       37,   37,   37,   37,   39,   39,    0,   24,   39,   39,
+       39,   39,    0,   23,    0,   26,   44,    0,    0,    0,
+       44,   44,   44,   44,   35,   35,   35,   35,    0,   37,
+        0,   37,   37,   37,   37,   37,   37,   37,   37,   37,
+       37,   37,    0,    0,    0,   37,   37,   37,   37,   37,
+       37,   37,   37,   37,   37,   37,   37,   37,   39,   39,
+
+       39,   39,   39,   39,   41,    0,    0,    0,   44,   20,
+       40,   44,   36,   36,   36,   37,    0,    0,    0,   37,
+       37,   37,   37,   37,   37,   37,   37,   37,   37,   37,
+       37,   37,    0,    0,    0,    0,    0,   37,   37,   37,
+       37,   37,   37,   37,   37,   39,   39,   39,   39,    0,
+       22,    0,   27,    0,   20,    0,    0,   44,    0,   44,
+       44,   44,   36,   36,   36,   36,   36,    0,    0,    0,
+        0,    0,   37,   37,   37,   37,   37,   37,   37,   37,
+       37,   37,   37,   37,   37,   37,   37,   37,   37,   37,
+       37,   37,    0,   30,   39,   39,   39,    0,    0,    0,
+
+       21,   20,    0,    0,    0,    0,    0,   20,    0,   44,
+       44,   44,   36,   36,    0,    0,    0,   37,   37,   37,
+       37,   37,   37,   37,   37,   37,   37,   37,   37,   37,
+       37,   37,   37,   37,   37,    0,   28,   39,   39,   21,
+        0,   18,    0,    0,   20,   44,   44,   44,   44,   44,
+        0,    0,    0,    0,    0,   37,   37,   37,   37,   37,
+       37,   37,   37,    0,   31,   39,    0,   44,   44,   44,
+       37,   37,   37,   37,   37,   37,    0,   29,    0,   44,
+       44,   44,   44,   44,   37,   37,   37,   37,   37,    0,
+       19,   35,   35,   35,   35,   35,   35,    0
 
     } ;
 
@@ -1851,9 +1851,19 @@ YY_RULE_SETUP
                            if (prev_state == INITIAL) {
                                switch (yylval.string[0]) {
                                case '%':
+                                   if (yylval.string[1] == '\0' ||
+                                       (yylval.string[1] == ':' &&
+                                       yylval.string[2] == '\0')) {
+                                       LEXTRACE("ERROR "); /* empty group */
+                                       return ERROR;
+                                   }
                                    LEXTRACE("USERGROUP ");
                                    return USERGROUP;
                                case '+':
+                                   if (yylval.string[1] == '\0') {
+                                       LEXTRACE("ERROR "); /* empty netgroup */
+                                       return ERROR;
+                                   }
                                    LEXTRACE("NETGROUP ");
                                    return NETGROUP;
                                }
@@ -1864,7 +1874,7 @@ YY_RULE_SETUP
        YY_BREAK
 case 12:
 YY_RULE_SETUP
-#line 202 "toke.l"
+#line 212 "toke.l"
 {
                            LEXTRACE("BACKSLASH ");
                            if (!append(yytext, yyleng))
@@ -1873,7 +1883,7 @@ YY_RULE_SETUP
        YY_BREAK
 case 13:
 YY_RULE_SETUP
-#line 208 "toke.l"
+#line 218 "toke.l"
 {
                            LEXTRACE("STRBODY ");
                            if (!append(yytext, yyleng))
@@ -1884,7 +1894,7 @@ YY_RULE_SETUP
 
 case 14:
 YY_RULE_SETUP
-#line 216 "toke.l"
+#line 226 "toke.l"
 {
                            /* quoted fnmatch glob char, pass verbatim */
                            LEXTRACE("QUOTEDCHAR ");
@@ -1895,7 +1905,7 @@ YY_RULE_SETUP
        YY_BREAK
 case 15:
 YY_RULE_SETUP
-#line 224 "toke.l"
+#line 234 "toke.l"
 {
                            /* quoted sudoers special char, strip backslash */
                            LEXTRACE("QUOTEDCHAR ");
@@ -1906,7 +1916,7 @@ YY_RULE_SETUP
        YY_BREAK
 case 16:
 YY_RULE_SETUP
-#line 232 "toke.l"
+#line 242 "toke.l"
 {
                            BEGIN INITIAL;
                            yyless(0);
@@ -1915,7 +1925,7 @@ YY_RULE_SETUP
        YY_BREAK
 case 17:
 YY_RULE_SETUP
-#line 238 "toke.l"
+#line 248 "toke.l"
 {
                            LEXTRACE("ARG ");
                            if (!fill_args(yytext, yyleng, sawspace))
@@ -1926,7 +1936,7 @@ YY_RULE_SETUP
 
 case 18:
 YY_RULE_SETUP
-#line 246 "toke.l"
+#line 256 "toke.l"
 {
                            char *path;
 
@@ -1947,7 +1957,7 @@ YY_RULE_SETUP
        YY_BREAK
 case 19:
 YY_RULE_SETUP
-#line 264 "toke.l"
+#line 274 "toke.l"
 {
                            char *path;
 
@@ -1971,7 +1981,7 @@ YY_RULE_SETUP
        YY_BREAK
 case 20:
 YY_RULE_SETUP
-#line 285 "toke.l"
+#line 295 "toke.l"
 {
                            char deftype;
                            int n;
@@ -2014,7 +2024,7 @@ YY_RULE_SETUP
        YY_BREAK
 case 21:
 YY_RULE_SETUP
-#line 325 "toke.l"
+#line 335 "toke.l"
 {
                            int n;
 
@@ -2043,7 +2053,7 @@ YY_RULE_SETUP
        YY_BREAK
 case 22:
 YY_RULE_SETUP
-#line 351 "toke.l"
+#line 361 "toke.l"
 {
                                /* cmnd does not require passwd for this user */
                                LEXTRACE("NOPASSWD ");
@@ -2052,7 +2062,7 @@ YY_RULE_SETUP
        YY_BREAK
 case 23:
 YY_RULE_SETUP
-#line 357 "toke.l"
+#line 367 "toke.l"
 {
                                /* cmnd requires passwd for this user */
                                LEXTRACE("PASSWD ");
@@ -2061,7 +2071,7 @@ YY_RULE_SETUP
        YY_BREAK
 case 24:
 YY_RULE_SETUP
-#line 363 "toke.l"
+#line 373 "toke.l"
 {
                                LEXTRACE("NOEXEC ");
                                return NOEXEC;
@@ -2069,7 +2079,7 @@ YY_RULE_SETUP
        YY_BREAK
 case 25:
 YY_RULE_SETUP
-#line 368 "toke.l"
+#line 378 "toke.l"
 {
                                LEXTRACE("EXEC ");
                                return EXEC;
@@ -2077,7 +2087,7 @@ YY_RULE_SETUP
        YY_BREAK
 case 26:
 YY_RULE_SETUP
-#line 373 "toke.l"
+#line 383 "toke.l"
 {
                                LEXTRACE("SETENV ");
                                return SETENV;
@@ -2085,7 +2095,7 @@ YY_RULE_SETUP
        YY_BREAK
 case 27:
 YY_RULE_SETUP
-#line 378 "toke.l"
+#line 388 "toke.l"
 {
                                LEXTRACE("NOSETENV ");
                                return NOSETENV;
@@ -2093,7 +2103,7 @@ YY_RULE_SETUP
        YY_BREAK
 case 28:
 YY_RULE_SETUP
-#line 383 "toke.l"
+#line 393 "toke.l"
 {
                                LEXTRACE("LOG_OUTPUT ");
                                return LOG_OUTPUT;
@@ -2101,7 +2111,7 @@ YY_RULE_SETUP
        YY_BREAK
 case 29:
 YY_RULE_SETUP
-#line 388 "toke.l"
+#line 398 "toke.l"
 {
                                LEXTRACE("NOLOG_OUTPUT ");
                                return NOLOG_OUTPUT;
@@ -2109,7 +2119,7 @@ YY_RULE_SETUP
        YY_BREAK
 case 30:
 YY_RULE_SETUP
-#line 393 "toke.l"
+#line 403 "toke.l"
 {
                                LEXTRACE("LOG_INPUT ");
                                return LOG_INPUT;
@@ -2117,7 +2127,7 @@ YY_RULE_SETUP
        YY_BREAK
 case 31:
 YY_RULE_SETUP
-#line 398 "toke.l"
+#line 408 "toke.l"
 {
                                LEXTRACE("NOLOG_INPUT ");
                                return NOLOG_INPUT;
@@ -2125,7 +2135,16 @@ YY_RULE_SETUP
        YY_BREAK
 case 32:
 YY_RULE_SETUP
-#line 403 "toke.l"
+#line 413 "toke.l"
+{
+                           /* empty group or netgroup */
+                           LEXTRACE("ERROR ");
+                           return ERROR;
+                       }
+       YY_BREAK
+case 33:
+YY_RULE_SETUP
+#line 419 "toke.l"
 {
                            /* netgroup */
                            if (!fill(yytext, yyleng))
@@ -2134,9 +2153,9 @@ YY_RULE_SETUP
                            return NETGROUP;
                        }
        YY_BREAK
-case 33:
+case 34:
 YY_RULE_SETUP
-#line 411 "toke.l"
+#line 427 "toke.l"
 {
                            /* group */
                            if (!fill(yytext, yyleng))
@@ -2145,9 +2164,9 @@ YY_RULE_SETUP
                            return USERGROUP;
                        }
        YY_BREAK
-case 34:
+case 35:
 YY_RULE_SETUP
-#line 419 "toke.l"
+#line 435 "toke.l"
 {
                            if (!fill(yytext, yyleng))
                                yyterminate();
@@ -2155,9 +2174,9 @@ YY_RULE_SETUP
                            return NTWKADDR;
                        }
        YY_BREAK
-case 35:
+case 36:
 YY_RULE_SETUP
-#line 426 "toke.l"
+#line 442 "toke.l"
 {
                            if (!fill(yytext, yyleng))
                                yyterminate();
@@ -2165,9 +2184,9 @@ YY_RULE_SETUP
                            return NTWKADDR;
                        }
        YY_BREAK
-case 36:
+case 37:
 YY_RULE_SETUP
-#line 433 "toke.l"
+#line 449 "toke.l"
 {
                            if (!ipv6_valid(yytext)) {
                                LEXTRACE("ERROR ");
@@ -2179,9 +2198,9 @@ YY_RULE_SETUP
                            return NTWKADDR;
                        }
        YY_BREAK
-case 37:
+case 38:
 YY_RULE_SETUP
-#line 444 "toke.l"
+#line 460 "toke.l"
 {
                            if (!ipv6_valid(yytext)) {
                                LEXTRACE("ERROR ");
@@ -2193,9 +2212,9 @@ YY_RULE_SETUP
                            return NTWKADDR;
                        }
        YY_BREAK
-case 38:
+case 39:
 YY_RULE_SETUP
-#line 455 "toke.l"
+#line 471 "toke.l"
 {
                            if (strcmp(yytext, "ALL") == 0) {
                                LEXTRACE("ALL ");
@@ -2218,9 +2237,9 @@ YY_RULE_SETUP
                            return ALIAS;
                        }
        YY_BREAK
-case 39:
+case 40:
 YY_RULE_SETUP
-#line 477 "toke.l"
+#line 493 "toke.l"
 {
                            /* no command args allowed for Defaults!/path */
                            if (!fill_cmnd(yytext, yyleng))
@@ -2229,9 +2248,9 @@ YY_RULE_SETUP
                            return COMMAND;
                        }
        YY_BREAK
-case 40:
+case 41:
 YY_RULE_SETUP
-#line 485 "toke.l"
+#line 501 "toke.l"
 {
                            BEGIN GOTCMND;
                            LEXTRACE("COMMAND ");
@@ -2239,9 +2258,9 @@ YY_RULE_SETUP
                                yyterminate();
                        }                       /* sudo -e */
        YY_BREAK
-case 41:
+case 42:
 YY_RULE_SETUP
-#line 492 "toke.l"
+#line 508 "toke.l"
 {
                            /* directories can't have args... */
                            if (yytext[yyleng - 1] == '/') {
@@ -2257,9 +2276,9 @@ YY_RULE_SETUP
                            }
                        }                       /* a pathname */
        YY_BREAK
-case 42:
+case 43:
 YY_RULE_SETUP
-#line 507 "toke.l"
+#line 523 "toke.l"
 {
                            LEXTRACE("BEGINSTR ");
                            yylval.string = NULL;
@@ -2267,9 +2286,9 @@ YY_RULE_SETUP
                            BEGIN INSTR;
                        }
        YY_BREAK
-case 43:
+case 44:
 YY_RULE_SETUP
-#line 514 "toke.l"
+#line 530 "toke.l"
 {
                            /* a word */
                            if (!fill(yytext, yyleng))
@@ -2278,57 +2297,57 @@ YY_RULE_SETUP
                            return WORD;
                        }
        YY_BREAK
-case 44:
+case 45:
 YY_RULE_SETUP
-#line 522 "toke.l"
+#line 538 "toke.l"
 {
                            LEXTRACE("( ");
                            return '(';
                        }
        YY_BREAK
-case 45:
+case 46:
 YY_RULE_SETUP
-#line 527 "toke.l"
+#line 543 "toke.l"
 {
                            LEXTRACE(") ");
                            return ')';
                        }
        YY_BREAK
-case 46:
+case 47:
 YY_RULE_SETUP
-#line 532 "toke.l"
+#line 548 "toke.l"
 {
                            LEXTRACE(", ");
                            return ',';
                        }                       /* return ',' */
        YY_BREAK
-case 47:
+case 48:
 YY_RULE_SETUP
-#line 537 "toke.l"
+#line 553 "toke.l"
 {
                            LEXTRACE("= ");
                            return '=';
                        }                       /* return '=' */
        YY_BREAK
-case 48:
+case 49:
 YY_RULE_SETUP
-#line 542 "toke.l"
+#line 558 "toke.l"
 {
                            LEXTRACE(": ");
                            return ':';
                        }                       /* return ':' */
        YY_BREAK
-case 49:
+case 50:
 YY_RULE_SETUP
-#line 547 "toke.l"
+#line 563 "toke.l"
 {
                            if (yyleng % 2 == 1)
                                return '!';     /* return '!' */
                        }
        YY_BREAK
-case 50:
+case 51:
 YY_RULE_SETUP
-#line 552 "toke.l"
+#line 568 "toke.l"
 {
                            BEGIN INITIAL;
                            ++sudolineno;
@@ -2337,25 +2356,25 @@ YY_RULE_SETUP
                            return COMMENT;
                        }                       /* return newline */
        YY_BREAK
-case 51:
+case 52:
 YY_RULE_SETUP
-#line 560 "toke.l"
+#line 576 "toke.l"
 {                      /* throw away space/tabs */
                            sawspace = TRUE;    /* but remember for fill_args */
                        }
        YY_BREAK
-case 52:
+case 53:
 YY_RULE_SETUP
-#line 564 "toke.l"
+#line 580 "toke.l"
 {
                            sawspace = TRUE;    /* remember for fill_args */
                            ++sudolineno;
                            continued = TRUE;
                        }                       /* throw away EOL after \ */
        YY_BREAK
-case 53:
+case 54:
 YY_RULE_SETUP
-#line 570 "toke.l"
+#line 586 "toke.l"
 {
                            BEGIN INITIAL;
                            ++sudolineno;
@@ -2364,9 +2383,9 @@ YY_RULE_SETUP
                            return COMMENT;
                        }                       /* comment, not uid/gid */
        YY_BREAK
-case 54:
+case 55:
 YY_RULE_SETUP
-#line 578 "toke.l"
+#line 594 "toke.l"
 {
                            LEXTRACE("ERROR ");
                            return ERROR;
@@ -2378,7 +2397,7 @@ case YY_STATE_EOF(GOTCMND):
 case YY_STATE_EOF(STARTDEFS):
 case YY_STATE_EOF(INDEFS):
 case YY_STATE_EOF(INSTR):
-#line 583 "toke.l"
+#line 599 "toke.l"
 {
                            if (YY_START != INITIAL) {
                                BEGIN INITIAL;
@@ -2389,12 +2408,12 @@ case YY_STATE_EOF(INSTR):
                                yyterminate();
                        }
        YY_BREAK
-case 55:
+case 56:
 YY_RULE_SETUP
-#line 593 "toke.l"
+#line 609 "toke.l"
 ECHO;
        YY_BREAK
-#line 2397 "lex.yy.c"
+#line 2416 "lex.yy.c"
 
        case YY_END_OF_BUFFER:
                {
@@ -3285,7 +3304,7 @@ int main()
        return 0;
        }
 #endif
-#line 593 "toke.l"
+#line 609 "toke.l"
 
 struct path_list {
     char *path;

diff --git a/plugins/sudoers/toke.l b/plugins/sudoers/toke.l
index f9a0bddcc77ab4e080d17fafa2c14b9c9384a5f1..f2c4f48f8783f22fe31c3f316dcd7d4ff5807197 100644 (file)
--- a/plugins/sudoers/toke.l
+++ b/plugins/sudoers/toke.l
@@ -188,9 +188,19 @@ DEFVAR                     [a-z_]+
                            if (prev_state == INITIAL) {
                                switch (yylval.string[0]) {
                                case '%':
+                                   if (yylval.string[1] == '\0' ||
+                                       (yylval.string[1] == ':' &&
+                                       yylval.string[2] == '\0')) {
+                                       LEXTRACE("ERROR "); /* empty group */
+                                       return ERROR;
+                                   }
                                    LEXTRACE("USERGROUP ");
                                    return USERGROUP;
                                case '+':
+                                   if (yylval.string[1] == '\0') {
+                                       LEXTRACE("ERROR "); /* empty netgroup */
+                                       return ERROR;
+                                   }
                                    LEXTRACE("NETGROUP ");
                                    return NETGROUP;
                                }
@@ -400,6 +410,12 @@ NOLOG_INPUT[[:blank:]]*:   {
                                return NOLOG_INPUT;
                        }
 
+<INITIAL,GOTDEFS>(\+|\%|\%:) {
+                           /* empty group or netgroup */
+                           LEXTRACE("ERROR ");
+                           return ERROR;
+                       }
+
 \+{WORD}               {
                            /* netgroup */
                            if (!fill(yytext, yyleng))