oss-sec mailing list archives
Re: Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo
From: William Cohen <wcohen () redhat com>
Date: Tue, 10 May 2011 17:00:14 -0400
On 05/03/2011 05:36 AM, Huzaifa Sidhpurwala wrote:
Hi William, On 05/01/2011 07:30 AM, William Cohen wrote:I don't know if this is the best way to fix this issue, but attached is a patch that filters out all but alpha numeric characters and '_'. Feedback on the patch would be appreciated.It appears from the debian bug, that there may be others way to exploit this issue as well. hence i think we need a revised patch?
Hi Huzaifa, I have generated some patches to address the CVE. However, I have not yet address the http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624212#19 related to the "echo do_jitconv > $SESSION_DIR/opd_pipe" I will send the the patches from my local git branch in a moment. Any feedback would be appreciated. -Will
Current thread:
- CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo Jan Lieskovsky (Apr 29)
- Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo William Cohen (May 01)
- Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo William Cohen (May 01)
- Re: Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo Huzaifa Sidhpurwala (May 03)
- Re: Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo William Cohen (May 10)
- Re: Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo William Cohen (May 10)
- Re: Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo Huzaifa Sidhpurwala (May 10)
- Re: Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo Huzaifa Sidhpurwala (May 03)
- Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo Stephane Chauveau (May 03)
- Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo Josh Bressers (May 02)