Re: Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo

[William Cohen <wcohen () redhat com>]

On 07/07/2011 11:56 AM, Jamie Strandboge wrote:
> On Tue, 2011-05-10 at 17:05 -0400, William Cohen wrote:
> > The patches mentioned in the previous email.
> >
> > -Will
>
> Thanks for these patches. I was reviewing them and noticed that
> 0003-Avoid-blindly-source-SETUP_FILE-with.patch undoes the 
> 'error_if_not_basename $arg $val' for --save added in
> 0002-Ensure-that-save-only-saves-things-in-SESSION_DIR.patch such that
> if you apply all 4 patches, method #2 from the Debian bug[1] is no
> longer fixed. Attached is a patch to correct this (to be applied after
> the other 4).
>
> [1]http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624212#14

Hi Jamie,

Can you check whether this problem still exists in upstream? This patch does not apply cleanly to upstream. The 
upstream opcontrol has:


                        --save)
                                error_if_not_valid_savename "$arg" "$val"
                                DUMP=yes
                                SAVE_SESSION=yes
                                SAVE_NAME=$val
                                EXCLUSIVE_ARGC=`expr $EXCLUSIVE_ARGC + 1`
                                EXCLUSIVE_ARGV="$arg"
                                ;;

And:

# check value is a base filename
error_if_not_valid_savename()
{
        error_if_empty "$1" "$2"
        bname=`basename "$2"`
        if test "$2" !=  "$bname"; then
                echo "Argument for $1, $2, cannot change directory." >&2
                exit 1
        fi
        case "$2" in
                # The following catches anything that is not
                # 0-9, a-z, A-Z, an '-', ':', ',', '.', or '/'
                *[!-[:alnum:]_:,./]*) 
                        echo "Argument for $1, $2, not allow to have special ch
aracters" >&2
                        exit 1;;
        esac
}