CVE-2011-2473

Publication date 9 June 2011

Last updated 24 July 2024

Ubuntu priority

The do_dump_data function in utils/opcontrol in OProfile 0.9.6 and earlier might allow local users to create or overwrite arbitrary files via a crafted --session-dir argument in conjunction with a symlink attack on the opd_pipe file, a different vulnerability than CVE-2011-1760.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
oprofile	11.04 natty	Ignored
	10.10 maverick	Ignored
	10.04 LTS lucid	Ignored
	8.04 LTS hardy	Ignored end of life

Notes

jdstrand

this attack requires that the user is using a --session-dir that is under the attacker's control. --session-dir defaults to /var/lib/oprofile so this is not a problem in the default configuration. Proper use of --init will setup the session dir with correct permissions, and this is needed to use a different session dir anyway. The vulnerability comes in if the session dir's permissions change after using --init or are created in another user's directory that is under the attacker's control. While it would be good to try to defend against this, the checks would be racy and the vulnerability is somewhat contrived to begin with. Upstream has not patched this as of 2011-07-07.

References

Other references

https://www.cve.org/CVERecord?id=CVE-2011-2473