Your message dated Tue, 19 Jul 2011 01:54:45 +0000
with message-id <[email protected]>
and subject line Bug#624212: fixed in oprofile 0.9.6-1.1+squeeze2
has caused the Debian Bug report #624212,
regarding arbitrary command execution via sudo opcontrol
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
624212: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624212
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: oprofile
Version: 0.9.6-1.1
I found a way to execute arbitrary commands when using opcontrol via
sudo. I realize that sudoing shell scripts is a bad idea (the oprofile
FAQ discourages the use of sudo) but sudo is nevertheless a common
advice on internet to provide oprofile to a user without giving him full
root-access.
The problem is in the set_event function where the content of $2 is not
checked.
set_event()
{
eval "CHOSEN_EVENTS_$1=$2"
}
This error can be exploited by injecting commands via the -e option as
in the following example:
$ sudo opcontrol -e "abcd;/usr/bin/id"
uid=0(root) gid=0(root) groups=0(root)
No such event "abcd"
This is a different vulnerability than
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0576
--- End Message ---
--- Begin Message ---
Source: oprofile
Source-Version: 0.9.6-1.1+squeeze2
We believe that the bug you reported is fixed in the latest version of
oprofile, which is due to be installed in the Debian FTP archive:
oprofile-gui_0.9.6-1.1+squeeze2_amd64.deb
to main/o/oprofile/oprofile-gui_0.9.6-1.1+squeeze2_amd64.deb
oprofile_0.9.6-1.1+squeeze2.diff.gz
to main/o/oprofile/oprofile_0.9.6-1.1+squeeze2.diff.gz
oprofile_0.9.6-1.1+squeeze2.dsc
to main/o/oprofile/oprofile_0.9.6-1.1+squeeze2.dsc
oprofile_0.9.6-1.1+squeeze2_amd64.deb
to main/o/oprofile/oprofile_0.9.6-1.1+squeeze2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luciano Bello <[email protected]> (supplier of updated oprofile package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 08 Jul 2011 21:02:50 -0300
Source: oprofile
Binary: oprofile oprofile-gui
Architecture: source amd64
Version: 0.9.6-1.1+squeeze2
Distribution: stable-security
Urgency: low
Maintainer: LIU Qi <[email protected]>
Changed-By: Luciano Bello <[email protected]>
Description:
oprofile - system-wide profiler for Linux systems
oprofile-gui - system-wide profiler for Linux systems (GUI components)
Closes: 624212
Changes:
oprofile (0.9.6-1.1+squeeze2) stable-security; urgency=low
.
* Non-maintainer upload by the Security Team.
* Jamie Strandboge noticed an uncomplete fix for CVE-2011-1760 Closes:
#624212
Checksums-Sha1:
6804f68cb60e6b9bd0bec8d787fbfed44b49eb53 1469 oprofile_0.9.6-1.1+squeeze2.dsc
6cdc5316c46bb309beeae242f30fdd9a820eb689 16764
oprofile_0.9.6-1.1+squeeze2.diff.gz
a044f85e6085f65db5a25ae72556de8bdbef50c2 3160576
oprofile_0.9.6-1.1+squeeze2_amd64.deb
64e96f97102f4c027c5cff0a1af3d00aa8fdaf62 97616
oprofile-gui_0.9.6-1.1+squeeze2_amd64.deb
Checksums-Sha256:
bcac41dc93092e30343957df8d1b11cd5b2bbfa201ce1e24dc6137bd7aae23a7 1469
oprofile_0.9.6-1.1+squeeze2.dsc
0f2355e29fdee4e1f577e1cc583899af7cfe6e13aca289a2140ad7ab76ffbcaa 16764
oprofile_0.9.6-1.1+squeeze2.diff.gz
46b8546e78526b6179e8e3b36aad17214b2130deb9a9aa43c4882ad297ca44b4 3160576
oprofile_0.9.6-1.1+squeeze2_amd64.deb
00af773de9472382f6f3bfa1f7ea818c14ce33be909b58adf939f8ae26961519 97616
oprofile-gui_0.9.6-1.1+squeeze2_amd64.deb
Files:
6831afc80189751b177120394645d7c2 1469 devel optional
oprofile_0.9.6-1.1+squeeze2.dsc
0c8be36980dfd79aa8c429f9b9fc7d1b 16764 devel optional
oprofile_0.9.6-1.1+squeeze2.diff.gz
92c95695cc792cd7430a70ffea2c9413 3160576 devel optional
oprofile_0.9.6-1.1+squeeze2_amd64.deb
03a761416ed1d4f0fc9e5a42f4e66230 97616 devel optional
oprofile-gui_0.9.6-1.1+squeeze2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk4bFCwACgkQQWTRs4lLtHltxACgwXRVSkDtpnO+5Fzo7LVsqux5
b08AnicJ4GQ1niiFkTJSAUxE3hpevlIR
=Pjyc
-----END PGP SIGNATURE-----
--- End Message ---
