From d52d142365cedb6c11e0d57835a6530cb9687474 Mon Sep 17 00:00:00 2001
From: William Cohen <wcohen@redhat.com>
Date: Tue, 10 May 2011 11:44:11 -0400
Subject: [PATCH 1/4] Sanitize Event Names
The event names need to be sanitized to only allow alphanumeric characters to
address CVE-2011-1760.
---
utils/opcontrol | 12 +++++++++++-
1 files changed, 11 insertions(+), 1 deletions(-)
diff --git a/utils/opcontrol b/utils/opcontrol
index 3a8a814..f2558e6 100644
--- a/utils/opcontrol
+++ b/utils/opcontrol
@@ -390,7 +390,17 @@ get_event()
set_event()
{
- eval "CHOSEN_EVENTS_$1=$2"
+ clean1="`echo "${1}" | tr -cd '[:alnum:]_'`"
+ clean2="`echo "${2}" | tr -cd '[:alnum:]_:'`"
+ if [ "x$1" != "x$clean1" ]; then
+ echo "Invalid event number \"$1\"."
+ exit 1
+ fi
+ if [ "x$2" != "x$clean2" ]; then
+ echo "Invalid event \"$2\"."
+ exit 1
+ fi
+ eval "CHOSEN_EVENTS_$clean1=$clean2"
}
--
1.7.1
![[patchlogo]](http://patch-tracker.debian.org/static/img/swirlpatch.png)