Your message dated Sat, 21 May 2011 04:47:23 +0000
with message-id <[email protected]>
and subject line Bug#624212: fixed in oprofile 0.9.6-1.2
has caused the Debian Bug report #624212,
regarding arbitrary command execution via sudo opcontrol
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
624212: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624212
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: oprofile
Version: 0.9.6-1.1
I found a way to execute arbitrary commands when using opcontrol via
sudo. I realize that sudoing shell scripts is a bad idea (the oprofile
FAQ discourages the use of sudo) but sudo is nevertheless a common
advice on internet to provide oprofile to a user without giving him full
root-access.
The problem is in the set_event function where the content of $2 is not
checked.
set_event()
{
eval "CHOSEN_EVENTS_$1=$2"
}
This error can be exploited by injecting commands via the -e option as
in the following example:
$ sudo opcontrol -e "abcd;/usr/bin/id"
uid=0(root) gid=0(root) groups=0(root)
No such event "abcd"
This is a different vulnerability than
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0576
--- End Message ---
--- Begin Message ---
Source: oprofile
Source-Version: 0.9.6-1.2
We believe that the bug you reported is fixed in the latest version of
oprofile, which is due to be installed in the Debian FTP archive:
oprofile-gui_0.9.6-1.2_amd64.deb
to main/o/oprofile/oprofile-gui_0.9.6-1.2_amd64.deb
oprofile_0.9.6-1.2.diff.gz
to main/o/oprofile/oprofile_0.9.6-1.2.diff.gz
oprofile_0.9.6-1.2.dsc
to main/o/oprofile/oprofile_0.9.6-1.2.dsc
oprofile_0.9.6-1.2_amd64.deb
to main/o/oprofile/oprofile_0.9.6-1.2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luciano Bello <[email protected]> (supplier of updated oprofile package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 20 May 2011 01:38:53 -0300
Source: oprofile
Binary: oprofile oprofile-gui
Architecture: source amd64
Version: 0.9.6-1.2
Distribution: unstable
Urgency: high
Maintainer: LIU Qi <[email protected]>
Changed-By: Luciano Bello <[email protected]>
Description:
oprofile - system-wide profiler for Linux systems
oprofile-gui - system-wide profiler for Linux systems (GUI components)
Closes: 624212 625060
Changes:
oprofile (0.9.6-1.2) unstable; urgency=high
.
* Non-maintainer upload.
* Add patch by William Cohen to not use mutable for reference variable
(Closes: #625060)
* Add patches by William Cohen to fix argument sanitation, CVE-2011-1760.
This fixes the arbitrary command execution via opcontrol. (Closes: #624212)
Checksums-Sha1:
87fa14b26def8f8e893e7666eef9e81b83a8bf24 1433 oprofile_0.9.6-1.2.dsc
f34cb2c602865983156743cc5c41f028b23f5227 17055 oprofile_0.9.6-1.2.diff.gz
526671459c70e584b95061efd719817a8e7a4b80 3306680 oprofile_0.9.6-1.2_amd64.deb
6eac3f37e33c64f8ceab2f7682406e16d4f89f59 96314 oprofile-gui_0.9.6-1.2_amd64.deb
Checksums-Sha256:
591a68ca174a9e7bdbd5f088618d745533c536565be398575b7477fabaea9cd9 1433
oprofile_0.9.6-1.2.dsc
f2d110dc1d3b5a293d35d5f3a0c19f5a0fa60779520abb3d0d4affefa098012b 17055
oprofile_0.9.6-1.2.diff.gz
97f8bcae24075fb966b1ed3449306be9ed403424bad7d9af1a6a75f09085e863 3306680
oprofile_0.9.6-1.2_amd64.deb
89544477de00f9c2c6f688922b7c9a3e43642b80e8f02b80d1b8c409891ecf40 96314
oprofile-gui_0.9.6-1.2_amd64.deb
Files:
fb8ed5251713af983f22896147fdbaa3 1433 devel optional oprofile_0.9.6-1.2.dsc
23b1e5464ab2c79fbf73fac50f3af958 17055 devel optional
oprofile_0.9.6-1.2.diff.gz
0105a24137dda9ae493e75843cb0f808 3306680 devel optional
oprofile_0.9.6-1.2_amd64.deb
62fbf37315798def289d9496c47802d7 96314 devel optional
oprofile-gui_0.9.6-1.2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk3W5q4ACgkQQWTRs4lLtHnArQCffJ+GmzoCkxfcX+QpRrOZgK4b
UDwAoISMdMhZo1Beo1LSvUv91CtaBXwA
=2xjX
-----END PGP SIGNATURE-----
--- End Message ---
