From the debian bug at $URL: I found a way to execute arbitrary commands when using opcontrol via sudo. I realize that sudoing shell scripts is a bad idea (the oprofile FAQ discourages the use of sudo) but sudo is nevertheless a common advice on internet to provide oprofile to a user without giving him full root-access.
oprofile-0.9.6-r1 fixes this issue. Actually I've not applied Sanitize Event Names patch [1] as it looks like most of issues are covered by Do additional checks on user supplied arguments patch [2]: [1] https://bugzilla.redhat.com/attachment.cgi?id=499232 [2] https://bugzilla.redhat.com/attachment.cgi?id=499235 I've contacted William Cohen to make sure I understand issue correctly and once they answer I either add arch teams here or add patch and arch teams.
CVE-2011-1760 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1760): utils/opcontrol in OProfile 0.9.6 and earlier might allow local users to conduct eval injection attacks and gain privileges via shell metacharacters in the -e argument.
Got confirmation from upstream developer. Arch teams, please, stabilize dev-util/oprofile-0.9.6-r1. TIA.
amd64 ok, see Bug 372581 for improvements ;)
ppc done
amd64: emerged ok.
amd64 done. Thanks Agostino and Ian
x86 stable
Stable for HPPA.
Thanks, folks. GLSA request filed.
*** Bug 372913 has been marked as a duplicate of this bug. ***
Security team, <oprofile-0.9.6-r1 versions are no longer in tree since 16 Feb 2013. Should this bug be closed as obsolete?
(In reply to Andrew Savchenko from comment #12) > Security team, <oprofile-0.9.6-r1 versions are no longer in tree since 16 > Feb 2013. Should this bug be closed as obsolete? Yes, we know. This bug is slated to go out on a special GLSA by the end of the year and will be closed at that time along with all the other old bugs. Thanks.
This issue was resolved and addressed in GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml by GLSA coordinator Sean Amoss (ackle).
