CVE-2011-1760 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1760 http://www.debian.org/security/2011/dsa-2254 http://www.securityfocus.com/bid/47652/exploit Patches available in debian package : http://patch-tracker.debian.org/patch/series/view/oprofile/0.9.6-1.2/0001-Sanitize-Event-Names.patch http://patch-tracker.debian.org/patch/series/view/oprofile/0.9.6-1.2/0002-Ensure-that-save-only-saves-things-in-SESSION_DIR.patch http://patch-tracker.debian.org/patch/series/view/oprofile/0.9.6-1.2/0003-Avoid-blindly-source-SETUP_FILE-with.patch http://patch-tracker.debian.org/patch/series/view/oprofile/0.9.6-1.2/0004-Do-additional-checks-on-user-supplied-arguments.patch
CC: (none) => ahmadsamir3891, pterjan
Assignee: bugsquad => anssi.hannula
Bug confirmed present on Mageia 1. $ sudo opcontrol -e "abcd;/bin/id" uid=0(root) gid=0(root) groups=0(root),500(dave) No such event "abcd"
CC: (none) => davidwhodgins
Ping ?
Sorry. Packages now pushed to core/updates_testing. Advisory: ============== OProfile 0.9.6 of Mageia 1 is vulnerable to a local privilege escalation via a crafted opcontrol event parameter when the user has been authorized to use the opcontrol command with sudo in the sudoers file. This update fixes the issue. ============== oprofile-0.9.6-3.1.mga1 Testcase: 1. Add an authorization for a user to run opcontrol as root via sudoers. one way to do that is run 'visudo' and add the line: anssi ALL=/usr/bin/opcontrol replacing the correct username you want to test it with. 2. run and enter your user password: $ sudo opcontrol -e "abcd;/bin/id" [sudo] password for anssi: 3. With the unpatched version you get: uid=0(root) gid=0(root) ryhmät=0(root) With the patched version you get: Argument for -e, abcd;/bin/id, is not valid argument
Status: NEW => ASSIGNEDCC: (none) => anssi.hannulaAssignee: anssi.hannula => qa-bugs
Forgot references from the advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1760 http://www.debian.org/security/2011/dsa-2254
Testing complete on i586 for the srpm oprofile-0.9.6-3.1.mga1.src.rpm I now get ... $ sudo opcontrol -e "abcd;/bin/id" For sudo, enter password for dave > Argument for -e, abcd;/bin/id, is not valid argument.
x86_64 Before ------ $ sudo opcontrol -e "abcd;/bin/id" [sudo] password for claire: uid=0(root) gid=0(root) groups=0(root) No such event "abcd" After ----- $ sudo opcontrol -e "abcd;/bin/id" Argument for -e, abcd;/bin/id, is not valid argument. Update validated. Thankyou for the testing procedure! Advisory: ============== OProfile 0.9.6 of Mageia 1 is vulnerable to a local privilege escalation via a crafted opcontrol event parameter when the user has been authorized to use the opcontrol command with sudo in the sudoers file. This update fixes the issue. ============== SRPM: oprofile-0.9.6-3.1.mga1 Could sysadmin please push from core/updates_testing to core/updates Thankyou!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsHardware: i586 => All
Update pushed.
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED