Re: Re: CVE Request -- oprofile -- Local privilege escalation via crafted opcontrol event parameter when authorized by sudo

[William Cohen <wcohen () redhat com>]

On 05/03/2011 05:36 AM, Huzaifa Sidhpurwala wrote:
> Hi William,
> On 05/01/2011 07:30 AM, William Cohen wrote:
> > I don't know if this is the best way to fix this issue, but attached is a patch that filters out all but alpha 
> > numeric characters and '_'. Feedback on the patch would be appreciated.
>
> It appears from the debian bug, that there may be others way to exploit
> this issue as well. hence i think we need a revised patch?

The patches mentioned in the previous email.

-Will

Attachment: 0001-Sanitize-Event-Names.patch
Description:

Attachment: 0002-Ensure-that-save-only-saves-things-in-SESSION_DIR.patch
Description:

Attachment: 0003-Avoid-blindly-source-SETUP_FILE-with.patch
Description:

Attachment: 0004-Do-additional-checks-on-user-supplied-arguments.patch
Description: