Bug#624212: marked as done (arbitrary command execution via sudo opcontrol)

Mon, 11 Jul 2011 08:21:22 -0700 

Your message dated Mon, 11 Jul 2011 15:17:56 +0000
with message-id <[email protected]>
and subject line Bug#624212: fixed in oprofile 0.9.6-1.4
has caused the Debian Bug report #624212,
regarding arbitrary command execution via sudo opcontrol
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
624212: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624212
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: oprofile
Version: 0.9.6-1.1
I found a way to execute arbitrary commands when using opcontrol via sudo. I realize that sudoing shell scripts is a bad idea (the oprofile FAQ discourages the use of sudo) but sudo is nevertheless a common advice on internet to provide oprofile to a user without giving him full root-access.
The problem is in the set_event function where the content of $2 is not checked. 

set_event()
{
  eval "CHOSEN_EVENTS_$1=$2"
}
This error can be exploited by injecting commands via the -e option as in the following example: 

$ sudo opcontrol -e "abcd;/usr/bin/id"
uid=0(root) gid=0(root) groups=0(root)
No such event "abcd"

This is a different vulnerability than
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0576

--- End Message ---
--- Begin Message --- 
Source: oprofile
Source-Version: 0.9.6-1.4

We believe that the bug you reported is fixed in the latest version of
oprofile, which is due to be installed in the Debian FTP archive:

oprofile-gui_0.9.6-1.4_amd64.deb
  to main/o/oprofile/oprofile-gui_0.9.6-1.4_amd64.deb
oprofile_0.9.6-1.4.diff.gz
  to main/o/oprofile/oprofile_0.9.6-1.4.diff.gz
oprofile_0.9.6-1.4.dsc
  to main/o/oprofile/oprofile_0.9.6-1.4.dsc
oprofile_0.9.6-1.4_amd64.deb
  to main/o/oprofile/oprofile_0.9.6-1.4_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luciano Bello <[email protected]> (supplier of updated oprofile package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 09 Jul 2011 19:54:57 -0300
Source: oprofile
Binary: oprofile oprofile-gui
Architecture: source amd64
Version: 0.9.6-1.4
Distribution: unstable
Urgency: high
Maintainer: LIU Qi <[email protected]>
Changed-By: Luciano Bello <[email protected]>
Description: 
 oprofile   - system-wide profiler for Linux systems
 oprofile-gui - system-wide profiler for Linux systems (GUI components)
Closes: 624212
Changes: 
 oprofile (0.9.6-1.4) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Jamie Strandboge noticed an uncomplete fix for CVE-2011-1760 Closes: 
#624212
Checksums-Sha1: 
 847978e460719c34733145a99d3af80484b187be 1433 oprofile_0.9.6-1.4.dsc
 c6f5fd8d8668655d68e6b67ae0d6b214558ccf3b 17136 oprofile_0.9.6-1.4.diff.gz
 d5b35c55a9e4eae5d3403a1dc7cc85775d0fa1a8 3321658 oprofile_0.9.6-1.4_amd64.deb
 5a74b18524796531173af9e27a4466e18409d4a4 96256 oprofile-gui_0.9.6-1.4_amd64.deb
Checksums-Sha256: 
 1f1cf8a3a6827bf3a792a701fc1a698de90449edce63ce669556747bc77738b5 1433 
oprofile_0.9.6-1.4.dsc
 09e210865260d457b7395c1ef4dd864198931586e889f18c2bc9347f95844bcc 17136 
oprofile_0.9.6-1.4.diff.gz
 ed5094664ca47eecf68ae847a714ef6726785d8de3005a277e23473a77157cfc 3321658 
oprofile_0.9.6-1.4_amd64.deb
 42725edab971dc71045a5e5d6d7dd43ae052290445b42691a204e1ce75b09066 96256 
oprofile-gui_0.9.6-1.4_amd64.deb
Files: 
 649f080613dcc29dd5db8d9af4879b0b 1433 devel optional oprofile_0.9.6-1.4.dsc
 6aeaece1658d6c1dee0f8a322b8e4923 17136 devel optional 
oprofile_0.9.6-1.4.diff.gz
 2333798322adb6ab1ae34ec70ac5fbd2 3321658 devel optional 
oprofile_0.9.6-1.4_amd64.deb
 9ea5e9042495add580de6fbfbe89bd31 96256 devel optional 
oprofile-gui_0.9.6-1.4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk4bEMQACgkQQWTRs4lLtHmJkQCfSqMlr6/y3y0ajIu5h8AtwqQ6
NGUAn0tcRIDUuAmR6OqUW+UW9yJlYMgn
=C1Kn
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to