From 2a236bd218f75a394904cd2c2184fbf2c2fd446f Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Mon, 22 Feb 2010 17:32:24 -0500
Subject: [PATCH 1/5] Check for pseudo-command by looking at the first
 character of the command in sudoers instead of checking the user-supplied
 command for a slash.

--HG--
branch : 1.7
---
 match.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/match.c b/match.c
index 8bfbdf9a1..38acec43b 100644
--- a/match.c
+++ b/match.c
@@ -375,7 +375,7 @@ command_matches(sudoers_cmnd, sudoers_args)
     char *sudoers_args;
 {
     /* Check for pseudo-commands */
-    if (strchr(user_cmnd, '/') == NULL) {
+    if (sudoers_cmnd[0] != '/') {
 	/*
 	 * Return true if both sudoers_cmnd and user_cmnd are "sudoedit" AND
 	 *  a) there are no args in sudoers OR

From 731a6e850e38046690e6194cc5800b92ea8d1083 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Mon, 8 Mar 2010 13:53:54 -0500
Subject: [PATCH 2/5] In setenv(), if the var is empty, return 1 and set errno
 to EINVAL instead of returning EINVAL directly.

--HG--
branch : 1.7
---
 env.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/env.c b/env.c
index 88e6553ea..be7e5c6d9 100644
--- a/env.c
+++ b/env.c
@@ -250,8 +250,10 @@ setenv(var, val, overwrite)
     const char *cp;
     size_t esize;
 
-    if (!var || *var == '\0')
-	return(EINVAL);
+    if (!var || *var == '\0') {
+	errno = EINVAL;
+	return(-1);
+    }
 
     /*
      * POSIX says a var name with '=' is an error but BSD

From 7d06308236d18622bdbc6429f3dfa5216f3f7dd7 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Mon, 8 Mar 2010 14:27:30 -0500
Subject: [PATCH 3/5] Use parent process group id instead of parent process id
 when checking foreground status and suspending parent.  Fixes an issue when
 running commands under /usr/bin/time and others.

--HG--
branch : 1.7
---
 script.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/script.c b/script.c
index 91c92ad8c..c495131a5 100644
--- a/script.c
+++ b/script.c
@@ -108,7 +108,7 @@ static sig_atomic_t tty_initialized = 0;
 
 static sigset_t ttyblock;
 
-static pid_t parent, child;
+static pid_t ppgrp, child;
 static int child_status;
 static int foreground;
 
@@ -356,7 +356,7 @@ log_output(buf, n, then, now, ofile, tfile)
 static void
 check_foreground()
 {
-    foreground = tcgetpgrp(script_fds[SFD_USERTTY]) == parent;
+    foreground = tcgetpgrp(script_fds[SFD_USERTTY]) == ppgrp;
     if (foreground && !tty_initialized) {
 	if (term_copy(script_fds[SFD_USERTTY], script_fds[SFD_SLAVE], ttyout)) {
 	    tty_initialized = 1;
@@ -419,7 +419,7 @@ suspend_parent(signo, output, then, now, ofile, tfile)
 #ifdef SCRIPT_DEBUG
 	warningx("kill parent %d", signo);
 #endif
-	kill(parent, signo);
+	killpg(ppgrp, signo);
 
 	/* Check foreground/background status on resume. */
 	check_foreground();
@@ -496,8 +496,8 @@ script_execv(path, argv)
 #endif
 
     /* Are we the foreground process? */
-    parent = getpid(); /* so child can pass signals back to us */
-    foreground = tcgetpgrp(script_fds[SFD_USERTTY]) == parent;
+    ppgrp = getpgrp(); /* so child can pass signals back to us */
+    foreground = tcgetpgrp(script_fds[SFD_USERTTY]) == ppgrp;
 
     /* So we can block tty-generated signals */
     sigemptyset(&ttyblock);

From 09900584f258d28bcd42b42355ff4946c17b7c3e Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Tue, 9 Mar 2010 12:37:50 -0500
Subject: [PATCH 4/5] When doing a glob match, short circuit if gl.gl_pathc is
 0. From Mark Kettenis.

--HG--
branch : 1.7
---
 match.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/match.c b/match.c
index 38acec43b..20f91763e 100644
--- a/match.c
+++ b/match.c
@@ -465,7 +465,7 @@ command_matches_glob(sudoers_cmnd, sudoers_args)
      * else return false.
      */
 #define GLOB_FLAGS	(GLOB_NOSORT | GLOB_MARK | GLOB_BRACE | GLOB_TILDE)
-    if (glob(sudoers_cmnd, GLOB_FLAGS, NULL, &gl) != 0) {
+    if (glob(sudoers_cmnd, GLOB_FLAGS, NULL, &gl) != 0 || gl.gl_pathc == 0) {
 	globfree(&gl);
 	return(FALSE);
     }

From c2905815e6e8d33f21f7cbb85c90de75981e9900 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Mon, 22 Mar 2010 09:50:06 -0400
Subject: [PATCH 5/5] Fix installation of sudoers.ldap in "make install" when
 --with-ldap was specified without a directory.  From Prof. Dr. Andreas
 Mueller

--HG--
branch : 1.7
---
 configure    | 2 +-
 configure.in | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/configure b/configure
index 2077d3682..e0cb82c81 100755
--- a/configure
+++ b/configure
@@ -24671,9 +24671,9 @@ if test ${with_ldap-'no'} != "no"; then
 
 	CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include"
 	with_ldap=yes
-	LDAP=""
     fi
     SUDO_OBJS="${SUDO_OBJS} ldap.o"
+    LDAP=""
 
     { echo "$as_me:$LINENO: checking for LDAP libraries" >&5
 echo $ECHO_N "checking for LDAP libraries... $ECHO_C" >&6; }
diff --git a/configure.in b/configure.in
index 765240ab4..dd59d6f5e 100644
--- a/configure.in
+++ b/configure.in
@@ -2494,9 +2494,9 @@ if test ${with_ldap-'no'} != "no"; then
 	SUDO_APPEND_LIBPATH(LDFLAGS, [${with_ldap}/lib])
 	CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include"
 	with_ldap=yes
-	LDAP=""
     fi
     SUDO_OBJS="${SUDO_OBJS} ldap.o"
+    LDAP=""
 
     AC_MSG_CHECKING([for LDAP libraries])
     LDAP_LIBS=""