oss-sec mailing list archives
Re: Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo
From: William Cohen <wcohen () redhat com>
Date: Tue, 10 May 2011 17:05:11 -0400
On 05/03/2011 05:36 AM, Huzaifa Sidhpurwala wrote:
Hi William, On 05/01/2011 07:30 AM, William Cohen wrote:I don't know if this is the best way to fix this issue, but attached is a patch that filters out all but alpha numeric characters and '_'. Feedback on the patch would be appreciated.It appears from the debian bug, that there may be others way to exploit this issue as well. hence i think we need a revised patch?
The patches mentioned in the previous email. -Will
Attachment:
0001-Sanitize-Event-Names.patch
Description:
Attachment:
0002-Ensure-that-save-only-saves-things-in-SESSION_DIR.patch
Description:
Attachment:
0003-Avoid-blindly-source-SETUP_FILE-with.patch
Description:
Attachment:
0004-Do-additional-checks-on-user-supplied-arguments.patch
Description:
Current thread:
- CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo Jan Lieskovsky (Apr 29)
- Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo William Cohen (May 01)
- Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo William Cohen (May 01)
- Re: Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo Huzaifa Sidhpurwala (May 03)
- Re: Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo William Cohen (May 10)
- Re: Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo William Cohen (May 10)
- Re: Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo Huzaifa Sidhpurwala (May 10)
- Re: Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo Huzaifa Sidhpurwala (May 03)
- Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo Stephane Chauveau (May 03)
- Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo Josh Bressers (May 02)