DSA-2254-2 oprofile -- command injectionID: oval:org.secpod.oval:def:600590 | Date: (C)2011-07-22 (M)2022-10-10 |
Class: PATCH | Family: unix |
Jamie Strandboge noticed that the patch propoused to fix CVE-2011-1760 in OProfile has been incomplete. For reference, the description of the original DSA, is: OProfile is a performance profiling tool which is configurable by opcontrol, its control utility. Stephane Chauveau reported several ways to inject arbitrary commands in the arguments of this utility. If a local unprivileged user is authorized by sudoers file to run opcontrol as root, this user could use the flaw to escalate his privileges.
Platform: |
Debian 5.0 |
Debian 6.0 |