Home page logo

oss-sec logo oss-sec mailing list archives

Re: Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo
From: Jamie Strandboge <jamie () canonical com>
Date: Thu, 07 Jul 2011 10:56:35 -0500

On Tue, 2011-05-10 at 17:05 -0400, William Cohen wrote:
The patches mentioned in the previous email.


Thanks for these patches. I was reviewing them and noticed that
0003-Avoid-blindly-source-SETUP_FILE-with.patch undoes the 
'error_if_not_basename $arg $val' for --save added in
0002-Ensure-that-save-only-saves-things-in-SESSION_DIR.patch such that
if you apply all 4 patches, method #2 from the Debian bug[1] is no
longer fixed. Attached is a patch to correct this (to be applied after
the other 4).


Jamie Strandboge             | http://www.canonical.com

Attachment: 0005-add-back-error_if_not_basename.patch

Attachment: signature.asc
Description: This is a digitally signed message part

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]