CVE-2011-1011 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1011): The seunshare_mount function in sandbox/seunshare.c in seunshare in certain Red Hat packages of policycoreutils 2.0.83 and earlier in Red Hat Enterprise Linux (RHEL) 6 and earlier, and Fedora 14 and earlier, mounts a new directory on top of /tmp without assigning root ownership and the sticky bit to this new directory, which allows local users to replace or delete arbitrary /tmp files, and consequently cause a denial of service or possibly gain privileges, by running a setuid application that relies on /tmp, as demonstrated by the ksu application.
The version we currently have does not support sandboxes so isn't vulnerable to this. The latest upstream versino (policycoreutils 2.0.85) *is* vulnerable to this as the patch that RedHat has applied (to its 2.0.83 series) isn't applied upstream yet. I'm checking if I can port the required bits into a nice patch
Even the latest stable userspace tools don't make this a vulnerability for Gentoo (yet) since the sandbox code (in which seunshare is hosted) is not installed on Gentoo. One reason is that Gentoo doesn't support MCS (SELinux Multi-Category Security) yet, something that the SELinux sandbox relies on. Work on integrating MCS is on the way though, so I might push the latest userspace tools with the patch included (but still without enabling the SELinux sandbox) so that, if we ever get MCS working (and SELinux sandbox) then the patch is at least already present.
Created attachment 280025 [details, diff] Suggested patch on policycoreutils This is the patch that is used by Fedora / RedHat to counter this vulnerability (see also https://bugzilla.redhat.com/show_bug.cgi?id=633544). Credits for the patch are with Dan Walsh of RedHat and Thomas Liu of FedoraProject. The patch is altered a bit to not include all other stuff added by Fedora & RedHat, such as cgroups support. I did preliminary tests on the patch (does it compile, does the application work) but the patch might see some updates when we actually enable MCS (like I said before, we currently don't support nor can we run with the system settings that are required by sandbox/seunshare). For now, I'll make sure that the patch is included, but support for sandbox (and thus seunshare) will be disabled, like so: # We currently do not support MCS, so the sandbox code in policycoreutils # is not usable yet. However, work for MCS is on the way and a reported # vulnerability (bug #374897) might go by unnoticed if we ignore it now. # As such, we will # - prepare support for switching name from "sandbox" to "sesandbox" epatch "${FILESDIR}/policycoreutils-2.0.85-sesandbox.patch" # - patch the sandbox and seunshare code to fix the vulnerability # (uses, with permission, extract from # http://pkgs.fedoraproject.org/gitweb/?p=policycoreutils.git;a=blob_plain;f=policycoreutils-rhat.patch;hb=HEAD) epatch "${FILESDIR}/policycoreutils-2.0.85-fix-seunshare-vuln.patch" # But for now, disable building sandbox code sed -i -e 's/sandbox //' "${S}/Makefile" || die "failed removing sandbox"
Vulnerable versions have been removed from tree, closing [noglsa].
