Fix logic inversion when checking environment variables on the

command line against the blacklist.  This is only a problem when
env_reset is disabled.  CVE 2014-0106

diff --git a/usr.bin/sudo/env.c b/usr.bin/sudo/env.c
index 3dc1183..ef2785d 100644 (file)
--- a/usr.bin/sudo/env.c
+++ b/usr.bin/sudo/env.c
@@ -832,7 +832,7 @@ validate_env_vars(env_vars)
                okvar = matches_env_keep(var->value);
        } else {
            okvar = matches_env_delete(var->value) == FALSE;
-           if (okvar == FALSE)
+           if (okvar == TRUE)
                okvar = matches_env_check(var->value) != FALSE;
        }
        if (okvar == FALSE) {