Re: Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo

[Jamie Strandboge <jamie () canonical com>]

On Tue, 2011-05-10 at 17:05 -0400, William Cohen wrote:
> The patches mentioned in the previous email.
>
> -Will

Thanks for these patches. I was reviewing them and noticed that
0003-Avoid-blindly-source-SETUP_FILE-with.patch undoes the 
'error_if_not_basename $arg $val' for --save added in
0002-Ensure-that-save-only-saves-things-in-SESSION_DIR.patch such that
if you apply all 4 patches, method #2 from the Debian bug[1] is no
longer fixed. Attached is a patch to correct this (to be applied after
the other 4).

[1]http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624212#14

-- 
Jamie Strandboge             | http://www.canonical.com

Attachment: 0005-add-back-error_if_not_basename.patch
Description:

Attachment: signature.asc
Description: This is a digitally signed message part