Your message dated Sun, 17 Jul 2011 01:55:21 +0000
with message-id <[email protected]>
and subject line Bug#624212: fixed in oprofile 0.9.3-2+lenny2
has caused the Debian Bug report #624212,
regarding arbitrary command execution via sudo opcontrol
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
624212: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624212
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: oprofile
Version: 0.9.6-1.1
I found a way to execute arbitrary commands when using opcontrol via
sudo. I realize that sudoing shell scripts is a bad idea (the oprofile
FAQ discourages the use of sudo) but sudo is nevertheless a common
advice on internet to provide oprofile to a user without giving him full
root-access.
The problem is in the set_event function where the content of $2 is not
checked.
set_event()
{
eval "CHOSEN_EVENTS_$1=$2"
}
This error can be exploited by injecting commands via the -e option as
in the following example:
$ sudo opcontrol -e "abcd;/usr/bin/id"
uid=0(root) gid=0(root) groups=0(root)
No such event "abcd"
This is a different vulnerability than
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0576
--- End Message ---
--- Begin Message ---
Source: oprofile
Source-Version: 0.9.3-2+lenny2
We believe that the bug you reported is fixed in the latest version of
oprofile, which is due to be installed in the Debian FTP archive:
oprofile-gui_0.9.3-2+lenny2_amd64.deb
to main/o/oprofile/oprofile-gui_0.9.3-2+lenny2_amd64.deb
oprofile_0.9.3-2+lenny2.dsc
to main/o/oprofile/oprofile_0.9.3-2+lenny2.dsc
oprofile_0.9.3-2+lenny2.tar.gz
to main/o/oprofile/oprofile_0.9.3-2+lenny2.tar.gz
oprofile_0.9.3-2+lenny2_amd64.deb
to main/o/oprofile/oprofile_0.9.3-2+lenny2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luciano Bello <[email protected]> (supplier of updated oprofile package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 08 Jul 2011 21:11:54 -0300
Source: oprofile
Binary: oprofile oprofile-gui
Architecture: source amd64
Version: 0.9.3-2+lenny2
Distribution: oldstable-security
Urgency: low
Maintainer: Al Stone <[email protected]>
Changed-By: Luciano Bello <[email protected]>
Description:
oprofile - system-wide profiler for Linux systems
oprofile-gui - system-wide profiler for Linux systems (GUI components)
Closes: 624212
Changes:
oprofile (0.9.3-2+lenny2) oldstable-security; urgency=low
.
* Non-maintainer upload by the Security Team.
* Jamie Strandboge noticed an uncomplete fix for CVE-2011-1760 Closes:
#624212
Checksums-Sha1:
02cd5fadbf9d6c80c216a9410713e4dfc64c3d6f 927 oprofile_0.9.3-2+lenny2.dsc
f56b1bcd53ba1755da01498b6be87f9752a07677 874857 oprofile_0.9.3-2+lenny2.tar.gz
8334a645a95fdccb82fe8bbbab6582927f26b987 1302884
oprofile_0.9.3-2+lenny2_amd64.deb
64e22276e565c3711d9bd989306b715d81bcb7aa 94070
oprofile-gui_0.9.3-2+lenny2_amd64.deb
Checksums-Sha256:
766a9cbcf6ded2113e74bb9fc35d40a55beccfef71238ca98b13ba972ed4fa40 927
oprofile_0.9.3-2+lenny2.dsc
3fe4cb51b8fcbf0d8f043ca2563523ec99ff602e674562bde6afb64a426406ea 874857
oprofile_0.9.3-2+lenny2.tar.gz
3934fd717b379cb1b75bc406886cedb621320e6f154f07aab48e3ee8e6f8800c 1302884
oprofile_0.9.3-2+lenny2_amd64.deb
e18eb8688136a1aad9ebadf9b5ddea7c117620a598fecacd50ce603dca1ea198 94070
oprofile-gui_0.9.3-2+lenny2_amd64.deb
Files:
37bc1e69fe628fbac0c00cef8e810ff5 927 devel optional oprofile_0.9.3-2+lenny2.dsc
2c075459bd60f708b04c58e54df9f065 874857 devel optional
oprofile_0.9.3-2+lenny2.tar.gz
0322684d55649d296e83c6f2b3374869 1302884 devel optional
oprofile_0.9.3-2+lenny2_amd64.deb
dbbbe3a53e51e29d3dbe6d065eaf967f 94070 devel optional
oprofile-gui_0.9.3-2+lenny2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk4bE20ACgkQQWTRs4lLtHldewCeMWhchG4psUCTjMEeG5KFBWaS
mH8An3Ki1eLG5HNzkCtYeXxKs2b8W3tu
=cmKW
-----END PGP SIGNATURE-----
--- End Message ---
