Your message dated Sat, 25 Jun 2011 19:02:46 +0200
with message-id <4e0614b6.9050...@debian.org>
and subject line Re: CVE-2011-2473 CVE-2011-2472 CVE-2011-2471
has caused the Debian Bug report #630084,
regarding CVE-2011-2473 CVE-2011-2472 CVE-2011-2471
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
630084: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=630084
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: oprofile
Version: 0.9.6-1.2
Severity: serious
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for oprofile.
CVE-2011-2473[0]:
| The do_dump_data function in utils/opcontrol in OProfile 0.9.6 and
| earlier might allow local users to create or overwrite arbitrary files
| via a crafted --session-dir argument in conjunction with a symlink
| attack on the opd_pipe file, a different vulnerability than
| CVE-2011-1760.
CVE-2011-2472[1]:
| Directory traversal vulnerability in utils/opcontrol in OProfile 0.9.6
| and earlier might allow local users to overwrite arbitrary files via a
| .. (dot dot) in the --save argument, related to the --session-dir
| argument, a different vulnerability than CVE-2011-1760.
CVE-2011-2471[2]:
| utils/opcontrol in OProfile 0.9.6 and earlier might allow local users
| to gain privileges via shell metacharacters in the (1) --vmlinux, (2)
| --session-dir, or (3) --xen argument, related to the daemonrc file and
| the do_save_setup and do_load_setup functions, a different
| vulnerability than CVE-2011-1760.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
There are some patches on oss-security[3]. They are not applied in
version 0.9.6-1.2, so I assume it to be vulnerable.
Helmut
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2473
http://security-tracker.debian.org/tracker/CVE-2011-2473
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2472
http://security-tracker.debian.org/tracker/CVE-2011-2472
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2471
http://security-tracker.debian.org/tracker/CVE-2011-2471
[3] http://openwall.com/lists/oss-security/2011/05/10/7
--- End Message ---
--- Begin Message ---
> There are some patches on oss-security[3]. They are not applied in
> version 0.9.6-1.2, so I assume it to be vulnerable.
> [3] http://openwall.com/lists/oss-security/2011/05/10/7
What do you mean with not applied? The patches are in debian/patches:
0001-Sanitize-Event-Names.patch
0002-Ensure-that-save-only-saves-things-in-SESSION_DIR.patch
0003-Avoid-blindly-source-SETUP_FILE-with.patch
0004-Do-additional-checks-on-user-supplied-arguments.patch
and are applied in the build process.
Cheers
Luk
--- End Message ---
