Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 366699 (CVE-2011-1760) - <dev-util/oprofile-0.9.6-r1: Privilege Escalation when permitted via sudo (CVE-2011-{1760,2471,2472,2473})
Summary: <dev-util/oprofile-0.9.6-r1: Privilege Escalation when permitted via sudo (C...
Alias: CVE-2011-1760
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: C1 [glsa]
: CVE-2011-2471 (view as bug list)
Depends on:
Reported: 2011-05-10 05:04 UTC by Tim Sammut (RETIRED)
Modified: 2014-12-12 00:37 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-05-10 05:04:08 UTC
From the debian bug at $URL:

I found a way to execute arbitrary commands when using opcontrol via 
sudo. I realize that sudoing shell scripts is a bad idea (the oprofile 
FAQ discourages the use of sudo) but sudo is nevertheless a common 
advice on internet to provide oprofile to a user without giving him full 
Comment 1 Peter Volkov (RETIRED) gentoo-dev 2011-06-20 05:28:01 UTC
oprofile-0.9.6-r1 fixes this issue. Actually I've not applied Sanitize Event Names patch [1] as it looks like most of issues are covered by Do additional checks on user supplied arguments patch [2]:


I've contacted William Cohen to make sure I understand issue correctly and once they answer I either add arch teams here or add patch and arch teams.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2011-06-20 18:44:30 UTC
CVE-2011-1760 (
  utils/opcontrol in OProfile 0.9.6 and earlier might allow local users to
  conduct eval injection attacks and gain privileges via shell metacharacters
  in the -e argument.
Comment 3 Peter Volkov (RETIRED) gentoo-dev 2011-06-22 13:53:38 UTC
Got confirmation from upstream developer. Arch teams, please, stabilize dev-util/oprofile-0.9.6-r1. TIA.
Comment 4 Agostino Sarubbo gentoo-dev 2011-06-22 14:16:59 UTC
amd64 ok, see Bug 372581 for improvements ;)
Comment 5 Brent Baude (RETIRED) gentoo-dev 2011-06-22 20:24:33 UTC
ppc done
Comment 6 Ian Delaney (RETIRED) gentoo-dev 2011-06-22 21:43:13 UTC

emerged ok.
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2011-06-23 07:25:39 UTC
amd64 done. Thanks Agostino and Ian
Comment 8 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-06-23 17:38:35 UTC
x86 stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2011-06-23 21:19:43 UTC
Stable for HPPA.
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-06-26 21:14:58 UTC
Thanks, folks. GLSA request filed.
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-07-03 16:16:22 UTC
*** Bug 372913 has been marked as a duplicate of this bug. ***
Comment 12 Andrew Savchenko gentoo-dev 2014-11-30 14:11:54 UTC
Security team, <oprofile-0.9.6-r1 versions are no longer in tree since 16 Feb 2013. Should this bug be closed as obsolete?
Comment 13 Sean Amoss (RETIRED) gentoo-dev Security 2014-11-30 22:10:10 UTC
(In reply to Andrew Savchenko from comment #12)
> Security team, <oprofile-0.9.6-r1 versions are no longer in tree since 16
> Feb 2013. Should this bug be closed as obsolete?

Yes, we know. This bug is slated to go out on a special GLSA by the end of the year and will be closed at that time along with all the other old bugs. Thanks.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 00:37:56 UTC
This issue was resolved and addressed in
 GLSA 201412-09 at
by GLSA coordinator Sean Amoss (ackle).