Secure testing team - Jul 2011 - Bug#632984: oprofile: CVE-2011-2472 is not fixed due to 0003-Avoid-blindly-source-SETUP_FILE-with.patch

Package: oprofile
Version: 0.9.6-1.3
Severity: grave
Tags: patch security
Justification: user security hole
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu oneiric ubuntu-patch


In Ubuntu, the attached patch was applied to achieve the following:

  * SECURITY UPDATE: arbitrary file overwrite
    - 0005-add-back-error_if_not_basename.patch: readd error_if_not_basename()
      which was removed in 0003-Avoid-blindly-source-SETUP_FILE-with.patch

See http://www.openwall.com/lists/oss-security/2011/07/07/6 for details.

Thanks for considering the patch.

-- System Information:
Debian Release: squeeze/sid
  APT prefers natty-updates
  APT policy: (500, ''natty-updates''), (500,
''natty-security''), (500, ''natty'')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-8-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-------------- next part --------------
--- oprofile-0.9.6.orig/debian/patches/0005-add-back-error_if_not_basename.patch
+++ oprofile-0.9.6/debian/patches/0005-add-back-error_if_not_basename.patch
@@ -0,0 +1,19 @@
+Author: Jamie Strandboge <jamie at canonical.com>
+Description: add back error_if_not_basename() which was removed in
+ 0003-Avoid-blindly-source-SETUP_FILE-with.patch
+Forwarded: yes
+
+Index: oprofile-0.9.6/utils/opcontrol
+==================================================================+---
oprofile-0.9.6.orig/utils/opcontrol	2011-07-07 10:58:26.000000000 -0500
++++ oprofile-0.9.6/utils/opcontrol	2011-07-07 10:58:35.000000000 -0500
+@@ -785,7 +785,8 @@
+ 				;;
+ 
+ 			--save)
+-                error_if_invalid_arg $arg $val
++				error_if_invalid_arg $arg $val
++				error_if_not_basename $arg $val
+ 				DUMP=yes
+ 				SAVE_SESSION=yes
+ 				SAVE_NAME=$val