Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 12 Jul 2011 16:53:24 -0400
From: William Cohen <>
To: Jamie Strandboge <>
Subject: Re: Re: CVE Request -- oprofile -- Local privilege
 escalation via crafted opcontrol event parameter when authorized by sudo

On 07/07/2011 11:56 AM, Jamie Strandboge wrote:
> On Tue, 2011-05-10 at 17:05 -0400, William Cohen wrote:
>> The patches mentioned in the previous email.
>> -Will
> Thanks for these patches. I was reviewing them and noticed that
> 0003-Avoid-blindly-source-SETUP_FILE-with.patch undoes the 
> 'error_if_not_basename $arg $val' for --save added in
> 0002-Ensure-that-save-only-saves-things-in-SESSION_DIR.patch such that
> if you apply all 4 patches, method #2 from the Debian bug[1] is no
> longer fixed. Attached is a patch to correct this (to be applied after
> the other 4).
> [1]

Hi Jamie,

Can you check whether this problem still exists in upstream? This patch does not apply cleanly to upstream. The upstream opcontrol has:

				error_if_not_valid_savename "$arg" "$val"


# check value is a base filename
	error_if_empty "$1" "$2"
	bname=`basename "$2"`
	if test "$2" !=  "$bname"; then
		echo "Argument for $1, $2, cannot change directory." >&2
		exit 1
	case "$2" in
		# The following catches anything that is not
		# 0-9, a-z, A-Z, an '-', ':', ',', '.', or '/'
			echo "Argument for $1, $2, not allow to have special ch
aracters" >&2
			exit 1;;

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.