Add GCONV_PATH to initial_badenv_table[]

This could be used on glibc systems such as Linux to load an arbitrary
shared libary when iconv_open() is called.  On Linux systems,
GCONV_PATH is removed from the environment by the dynamic linker
for set-user-ID executables like sudo.  However, for sudoers files
where "reset_env" is disabled and either the "setenv" option is
enabled or a user's privilege has the SETENV tag present, it could
be set on the command line and passed to the command.

Credit:
 - XlabAI Team of Tencent Xuanwu Lab ([email protected])
 - Atuin Automated Vulnerability Discovery Engine
 - Guannan Wang, Zhanpeng Liu, Guancheng Li

Author: millert

plugins/sudoers/env.c

@@ -194,6 +194,7 @@ static const char *initial_badenv_table[] = {
     "NODE_PATH",		/* node.js, module search path */
     "GIT_SSH_COMMAND",		/* git, custom SSH command */
     "GIT_CONFIG_GLOBAL",	/* git, global config file override */
+    "GCONV_PATH",		/* glibc generic char set conversion iface */
     "*=()*",			/* bash functions */
     NULL
 };