Bug#624212: marked as done (arbitrary command execution via sudo opcontrol)

Sat, 04 Jun 2011 07:00:32 -0700 

Your message dated Sat, 04 Jun 2011 13:56:39 +0000
with message-id <[email protected]>
and subject line Bug#624212: fixed in oprofile 0.9.3-2+lenny1
has caused the Debian Bug report #624212,
regarding arbitrary command execution via sudo opcontrol
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
624212: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624212
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: oprofile
Version: 0.9.6-1.1
I found a way to execute arbitrary commands when using opcontrol via sudo. I realize that sudoing shell scripts is a bad idea (the oprofile FAQ discourages the use of sudo) but sudo is nevertheless a common advice on internet to provide oprofile to a user without giving him full root-access.
The problem is in the set_event function where the content of $2 is not checked. 

set_event()
{
  eval "CHOSEN_EVENTS_$1=$2"
}
This error can be exploited by injecting commands via the -e option as in the following example: 

$ sudo opcontrol -e "abcd;/usr/bin/id"
uid=0(root) gid=0(root) groups=0(root)
No such event "abcd"

This is a different vulnerability than
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0576

--- End Message ---
--- Begin Message --- 
Source: oprofile
Source-Version: 0.9.3-2+lenny1

We believe that the bug you reported is fixed in the latest version of
oprofile, which is due to be installed in the Debian FTP archive:

oprofile-gui_0.9.3-2+lenny1_amd64.deb
  to main/o/oprofile/oprofile-gui_0.9.3-2+lenny1_amd64.deb
oprofile_0.9.3-2+lenny1.dsc
  to main/o/oprofile/oprofile_0.9.3-2+lenny1.dsc
oprofile_0.9.3-2+lenny1.tar.gz
  to main/o/oprofile/oprofile_0.9.3-2+lenny1.tar.gz
oprofile_0.9.3-2+lenny1_amd64.deb
  to main/o/oprofile/oprofile_0.9.3-2+lenny1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luciano Bello <[email protected]> (supplier of updated oprofile package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 21 May 2011 11:59:50 -0300
Source: oprofile
Binary: oprofile oprofile-gui
Architecture: source amd64
Version: 0.9.3-2+lenny1
Distribution: oldstable-security
Urgency: high
Maintainer: Al Stone <[email protected]>
Changed-By: Luciano Bello <[email protected]>
Description: 
 oprofile   - system-wide profiler for Linux systems
 oprofile-gui - system-wide profiler for Linux systems (GUI components)
Closes: 624212
Changes: 
 oprofile (0.9.3-2+lenny1) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add patches by William Cohen to fix argument sanitation, CVE-2011-1760.
     This fixes the arbitrary command execution via opcontrol. (Closes: #624212)
Checksums-Sha1: 
 7e95d6bc56e93389ac99488e257234ad9d65b672 927 oprofile_0.9.3-2+lenny1.dsc
 98b76a1b6972192f64545ae3ff924c2653dc5733 874695 oprofile_0.9.3-2+lenny1.tar.gz
 2be98243705db3cf92afafdd30d1f30c7de71885 1302860 
oprofile_0.9.3-2+lenny1_amd64.deb
 3ca53be8f94560a3092e3aceb90cb050aac17cdf 94026 
oprofile-gui_0.9.3-2+lenny1_amd64.deb
Checksums-Sha256: 
 06c1dd30920b2480c4d141bb54502b597c81e1b344ee7730c9d0ecc318ec35eb 927 
oprofile_0.9.3-2+lenny1.dsc
 ccbc7f4ff6834cb29a35775ffa5d8b3fddc700399279face5a24b5dc0d1f4d60 874695 
oprofile_0.9.3-2+lenny1.tar.gz
 96c3c67491f218a261d695af4f8e78eb9d9461da923f5d247af807f170b6e582 1302860 
oprofile_0.9.3-2+lenny1_amd64.deb
 9339be9a5b9c83e04ebdebfb3774b64ced523e0ed077d33aaed247395d470f14 94026 
oprofile-gui_0.9.3-2+lenny1_amd64.deb
Files: 
 f52e7d939ff387bfba09d3c2db466d75 927 devel optional oprofile_0.9.3-2+lenny1.dsc
 5a0ec5293789baf466b1f583c119fd40 874695 devel optional 
oprofile_0.9.3-2+lenny1.tar.gz
 720c41f2f3e03ac77993129575d0c78b 1302860 devel optional 
oprofile_0.9.3-2+lenny1_amd64.deb
 bf849b2a9678188b98637bf29570a594 94026 devel optional 
oprofile-gui_0.9.3-2+lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk3Ya8kACgkQQWTRs4lLtHlxbwCcCMWzDw+sVkEKGq7jXuMCcwl/
A3sAniMBtoolgoMxDkJAc4DkoASYIiu3
=zSDg
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to