https://bugzilla.novell.com/show_bug.cgi?id=222728 https://bugzilla.novell.com/show_bug.cgi?id=222728#c47 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- InfoProvider|suse-beta@cboltz.de |lnussel@novell.com --- Comment #47 from Christian Boltz <suse-beta@cboltz.de> 2010-11-27 19:53:00 CET --- /etc/sudoers contains the list of variables to keep (LANG and several LC_*) in 11.3, so the bug itsself is fixed. (Verified with sudo and kdesu.) There's one remaining part that could be security relevant - Ludwig, can you please check if this is still valid? (In reply to comment #30)
Conclusion: LC_[...] are not used if they have a suspicious value, even if the program does _not_ run suid root.
But LC_IDENTIFICATION is used. Strange glibc behaviour. Why is LC_IDENTIFICATION handled differently than all the others?
Unfortunately, removing LC_IDENTIFICATION from the whitelist won't help because if LC_IDENTIFICATION is not set, the value of LANG is taken instead.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.