Bug#624212: marked as done (arbitrary command execution via sudo opcontrol)

Sat, 04 Jun 2011 07:00:33 -0700 

Your message dated Sat, 04 Jun 2011 13:56:46 +0000
with message-id <[email protected]>
and subject line Bug#624212: fixed in oprofile 0.9.6-1.1+squeeze1
has caused the Debian Bug report #624212,
regarding arbitrary command execution via sudo opcontrol
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
624212: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624212
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: oprofile
Version: 0.9.6-1.1
I found a way to execute arbitrary commands when using opcontrol via sudo. I realize that sudoing shell scripts is a bad idea (the oprofile FAQ discourages the use of sudo) but sudo is nevertheless a common advice on internet to provide oprofile to a user without giving him full root-access.
The problem is in the set_event function where the content of $2 is not checked. 

set_event()
{
  eval "CHOSEN_EVENTS_$1=$2"
}
This error can be exploited by injecting commands via the -e option as in the following example: 

$ sudo opcontrol -e "abcd;/usr/bin/id"
uid=0(root) gid=0(root) groups=0(root)
No such event "abcd"

This is a different vulnerability than
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0576

--- End Message ---
--- Begin Message --- 
Source: oprofile
Source-Version: 0.9.6-1.1+squeeze1

We believe that the bug you reported is fixed in the latest version of
oprofile, which is due to be installed in the Debian FTP archive:

oprofile-gui_0.9.6-1.1+squeeze1_amd64.deb
  to main/o/oprofile/oprofile-gui_0.9.6-1.1+squeeze1_amd64.deb
oprofile_0.9.6-1.1+squeeze1.diff.gz
  to main/o/oprofile/oprofile_0.9.6-1.1+squeeze1.diff.gz
oprofile_0.9.6-1.1+squeeze1.dsc
  to main/o/oprofile/oprofile_0.9.6-1.1+squeeze1.dsc
oprofile_0.9.6-1.1+squeeze1_amd64.deb
  to main/o/oprofile/oprofile_0.9.6-1.1+squeeze1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luciano Bello <[email protected]> (supplier of updated oprofile package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 20 May 2011 18:00:08 -0300
Source: oprofile
Binary: oprofile oprofile-gui
Architecture: source amd64
Version: 0.9.6-1.1+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: LIU Qi <[email protected]>
Changed-By: Luciano Bello <[email protected]>
Description: 
 oprofile   - system-wide profiler for Linux systems
 oprofile-gui - system-wide profiler for Linux systems (GUI components)
Closes: 624212
Changes: 
 oprofile (0.9.6-1.1+squeeze1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add patches by William Cohen to fix argument sanitation, CVE-2011-1760.
     This fixes the arbitrary command execution via opcontrol. (Closes: #624212)
Checksums-Sha1: 
 435e227afc6563c99d6ca5897b99633e1766d905 1469 oprofile_0.9.6-1.1+squeeze1.dsc
 cc62cc58c574e235bc146c8ddc9d9a9af0972fd1 1321536 oprofile_0.9.6.orig.tar.gz
 6c2067e21ecdc3339460c300c525e338ba75af33 16788 
oprofile_0.9.6-1.1+squeeze1.diff.gz
 1e9e89b61b0799ec8dfa552c96a86dfe071c8b95 3160458 
oprofile_0.9.6-1.1+squeeze1_amd64.deb
 c7a5a3019c8ef9bf8f411b992737d3e70749d24c 97570 
oprofile-gui_0.9.6-1.1+squeeze1_amd64.deb
Checksums-Sha256: 
 d92eca31b5a9cfa3f27ecd8f82bc1900cc81000382cb8903892dbbb17104198e 1469 
oprofile_0.9.6-1.1+squeeze1.dsc
 3f0dd40a7749fc650d25d79d42ebbff8f3b6db310c36e7c3839696cc09077880 1321536 
oprofile_0.9.6.orig.tar.gz
 1d89c2157b696fe6223421876e7a607699df95e007b85e9578ecf3b7cb17e011 16788 
oprofile_0.9.6-1.1+squeeze1.diff.gz
 870482186dce209a5d89c2c155f6dcf131c187f9cf0bdaa23f1aecbb55d92a17 3160458 
oprofile_0.9.6-1.1+squeeze1_amd64.deb
 e7474acadcf0716533bf803ef456949b22279e68f568556a2b1250056ee515cf 97570 
oprofile-gui_0.9.6-1.1+squeeze1_amd64.deb
Files: 
 7c3309a6aa2a43218894bcda35a279e8 1469 devel optional 
oprofile_0.9.6-1.1+squeeze1.dsc
 4e407093ac06200185d5a5e6437d7242 1321536 devel optional 
oprofile_0.9.6.orig.tar.gz
 e53c69c4d3cf885bf2b0ece920fce5fd 16788 devel optional 
oprofile_0.9.6-1.1+squeeze1.diff.gz
 debccf21da61e4f9b7041d4c30e9e7b9 3160458 devel optional 
oprofile_0.9.6-1.1+squeeze1_amd64.deb
 f28e79feafdb6119115e99bd886b30a6 97570 devel optional 
oprofile-gui_0.9.6-1.1+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk3Ya7oACgkQQWTRs4lLtHkReACfbXXWH1u/dR5kb0B/drnKuA5A
ugQAnRbQgDW4TNubkp0ogkt6l16L1Bs9
=Smfk
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to