From the debian bug at $URL:
I found a way to execute arbitrary commands when using opcontrol via
sudo. I realize that sudoing shell scripts is a bad idea (the oprofile
FAQ discourages the use of sudo) but sudo is nevertheless a common
advice on internet to provide oprofile to a user without giving him full
oprofile-0.9.6-r1 fixes this issue. Actually I've not applied Sanitize Event Names patch  as it looks like most of issues are covered by Do additional checks on user supplied arguments patch :
I've contacted William Cohen to make sure I understand issue correctly and once they answer I either add arch teams here or add patch and arch teams.
utils/opcontrol in OProfile 0.9.6 and earlier might allow local users to
conduct eval injection attacks and gain privileges via shell metacharacters
in the -e argument.
Got confirmation from upstream developer. Arch teams, please, stabilize dev-util/oprofile-0.9.6-r1. TIA.
amd64 ok, see Bug 372581 for improvements ;)
amd64 done. Thanks Agostino and Ian
Stable for HPPA.
Thanks, folks. GLSA request filed.
*** Bug 372913 has been marked as a duplicate of this bug. ***
Security team, <oprofile-0.9.6-r1 versions are no longer in tree since 16 Feb 2013. Should this bug be closed as obsolete?
(In reply to Andrew Savchenko from comment #12)
> Security team, <oprofile-0.9.6-r1 versions are no longer in tree since 16
> Feb 2013. Should this bug be closed as obsolete?
Yes, we know. This bug is slated to go out on a special GLSA by the end of the year and will be closed at that time along with all the other old bugs. Thanks.
This issue was resolved and addressed in
GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml
by GLSA coordinator Sean Amoss (ackle).