Bug 1979

Summary: oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo
Product: Mageia Reporter: Nicolas Vigier <boklm>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: ahmadsamir3891, anssi.hannula, davidwhodgins, pterjan, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: oprofile-0.9.6-3.mga1.src.rpm CVE:
Status comment:

Manuel Hiebel 2011-08-30 10:00:47 CEST

CC: (none) => ahmadsamir3891, pterjan

Manuel Hiebel 2011-09-25 14:05:04 CEST

Assignee: bugsquad => anssi.hannula

Comment 1 Dave Hodgins 2011-09-27 02:09:57 CEST 
Bug confirmed present on Mageia 1.
$ sudo opcontrol -e "abcd;/bin/id"
uid=0(root) gid=0(root) groups=0(root),500(dave)
No such event "abcd"

CC: (none) => davidwhodgins

Comment 2 Manuel Hiebel 2011-11-01 00:08:16 CET 
Ping ?
Comment 3 Anssi Hannula 2011-11-03 19:10:55 CET 
Sorry.

Packages now pushed to core/updates_testing.

Advisory:
==============
OProfile 0.9.6 of Mageia 1 is vulnerable to a local privilege escalation via a crafted opcontrol event parameter when the user has been authorized to use the opcontrol command with sudo in the sudoers file.

This update fixes the issue.
==============

oprofile-0.9.6-3.1.mga1

Testcase:
1. Add an authorization for a user to run opcontrol as root via sudoers.
   one way to do that is run 'visudo' and add the line:
 anssi ALL=/usr/bin/opcontrol
   replacing the correct username you want to test it with.
2. run and enter your user password:
$ sudo opcontrol -e "abcd;/bin/id"
[sudo] password for anssi:
3.
With the unpatched version you get:
uid=0(root) gid=0(root) ryhmät=0(root)
With the patched version you get:
Argument for -e, abcd;/bin/id, is not valid argument

Status: NEW => ASSIGNED
CC: (none) => anssi.hannula
Assignee: anssi.hannula => qa-bugs

Comment 4 Anssi Hannula 2011-11-03 19:13:21 CET 
Forgot references from the advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1760
http://www.debian.org/security/2011/dsa-2254
Comment 5 Dave Hodgins 2011-11-03 20:57:28 CET 
Testing complete on i586 for the srpm
oprofile-0.9.6-3.1.mga1.src.rpm

I now get ...
$ sudo opcontrol -e "abcd;/bin/id"
For sudo, enter password for dave >
Argument for -e, abcd;/bin/id, is not valid argument.
Comment 6 claire robinson 2011-11-07 16:14:03 CET 
x86_64

Before
------

$ sudo opcontrol -e "abcd;/bin/id"
[sudo] password for claire: 
uid=0(root) gid=0(root) groups=0(root)
No such event "abcd"


After
-----

$ sudo opcontrol -e "abcd;/bin/id"
Argument for -e, abcd;/bin/id, is not valid argument.


Update validated. Thankyou for the testing procedure!


Advisory:
==============
OProfile 0.9.6 of Mageia 1 is vulnerable to a local privilege escalation via a
crafted opcontrol event parameter when the user has been authorized to use the
opcontrol command with sudo in the sudoers file.

This update fixes the issue.
==============

SRPM: oprofile-0.9.6-3.1.mga1


Could sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All

Comment 7 Thomas Backlund 2011-11-07 17:39:11 CET 
Update pushed.

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED