Move sudo_end{gr,pw}ent() until just before the exec since they

free up our cached copy of the passwd structs, including sudo_user
and sudo_runas.  Fixes a use-after-free bug.

diff --git a/sudo.c b/sudo.c
index 4206f4a6168c5facd9c58199fcd7bb370c148da0..a41310d2c41adfdbac55f6469c924421643ef074 100644 (file)
--- a/sudo.c
+++ b/sudo.c
@@ -404,10 +404,6 @@ main(argc, argv)
        if (ISSET(sudo_mode, MODE_RUN))
            set_perms(PERM_FULL_RUNAS);
 
-       /* Close the password and group files */
-       sudo_endpwent();
-       sudo_endgrent();
-
        if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) {
            char *p;
 
@@ -431,6 +427,10 @@ main(argc, argv)
        (void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
        (void) sigaction(SIGCHLD, &saved_sa_chld, NULL);
 
+       /* Close the password and group files and free up memory. */
+       sudo_endpwent();
+       sudo_endgrent();
+
        closefrom(def_closefrom + 1);
 
 #ifndef PROFILING

diff --git a/sudo_edit.c b/sudo_edit.c
index f0827c598bd331ea7cdfe6cf6126e14157a8df42..cac22312ddf6f86b9280638e0151e6302af0fa91 100644 (file)
--- a/sudo_edit.c
+++ b/sudo_edit.c
@@ -240,6 +240,9 @@ int sudo_edit(argc, argv)
        (void) sigaction(SIGQUIT, &saved_sa_quit, NULL);
        (void) sigaction(SIGCHLD, &saved_sa_chld, NULL);
        set_perms(PERM_FULL_USER);
+       sudo_endpwent();
+       sudo_endgrent();
+       closefrom(def_closefrom + 1);
        execvp(nargv[0], nargv);
        warning("unable to execute %s", nargv[0]);
        _exit(127);