On Wed, 2006-02-15 at 00:04 -0500, Micah Anderson wrote: > Package: oprofile > Severity: normal > > CVE-2006-0576 reads: > > Untrusted search path vulnerability in opcontrol in OProfile 0.9.1 and > earlier allows local users to execute arbitrary commands via a modified > PATH that references malicious (1) which or (2) dirname programs. > NOTE: while opcontrol normally is not run setuid, a common configuration > suggests accessing opcontrol using sudo. In such a context, this is a > vulnerability. >
Thanks for the report; a patch has been suggested upstream and appears to be acceptable. I'll get that incorporated and uploaded quickly. -- Ciao, al ---------------------------------------------------------------------- Al Stone Alter Ego: Open Source and Linux R&D Debian Developer Hewlett-Packard Company http://www.debian.org E-mail: [EMAIL PROTECTED] [EMAIL PROTECTED] ---------------------------------------------------------------------- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
