Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo
From: William Cohen <wcohen () redhat com>
Date: Tue, 12 Jul 2011 16:53:24 -0400

On 07/07/2011 11:56 AM, Jamie Strandboge wrote:
On Tue, 2011-05-10 at 17:05 -0400, William Cohen wrote:
The patches mentioned in the previous email.

-Will

Thanks for these patches. I was reviewing them and noticed that
0003-Avoid-blindly-source-SETUP_FILE-with.patch undoes the 
'error_if_not_basename $arg $val' for --save added in
0002-Ensure-that-save-only-saves-things-in-SESSION_DIR.patch such that
if you apply all 4 patches, method #2 from the Debian bug[1] is no
longer fixed. Attached is a patch to correct this (to be applied after
the other 4).

[1]http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624212#14


Hi Jamie,

Can you check whether this problem still exists in upstream? This patch does not apply cleanly to upstream. The 
upstream opcontrol has:


                        --save)
                                error_if_not_valid_savename "$arg" "$val"
                                DUMP=yes
                                SAVE_SESSION=yes
                                SAVE_NAME=$val
                                EXCLUSIVE_ARGC=`expr $EXCLUSIVE_ARGC + 1`
                                EXCLUSIVE_ARGV="$arg"
                                ;;

And:

# check value is a base filename
error_if_not_valid_savename()
{
        error_if_empty "$1" "$2"
        bname=`basename "$2"`
        if test "$2" !=  "$bname"; then
                echo "Argument for $1, $2, cannot change directory." >&2
                exit 1
        fi
        case "$2" in
                # The following catches anything that is not
                # 0-9, a-z, A-Z, an '-', ':', ',', '.', or '/'
                *[!-[:alnum:]_:,./]*) 
                        echo "Argument for $1, $2, not allow to have special ch
aracters" >&2
                        exit 1;;
        esac
}


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault