Bug 374897 (CVE-2011-1011)

Summary:

<sys-apps/policycoreutils-2.0.85: privilege escalation (CVE-2011-1011)

Product:

Gentoo Security

Reporter:

GLSAMaker/CVETool Bot <glsamaker>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

trivial

CC:

selinux

Priority:

Normal

Version:

unspecified

Hardware:

All

OS:

Linux

Whiteboard:

~4 [noglsa]

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
Suggested patch on policycoreutils	none

Description GLSAMaker/CVETool Bot gentoo-dev

2011-07-11 23:31:03 UTC

CVE-2011-1011 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1011):
  The seunshare_mount function in sandbox/seunshare.c in seunshare in certain
  Red Hat packages of policycoreutils 2.0.83 and earlier in Red Hat Enterprise
  Linux (RHEL) 6 and earlier, and Fedora 14 and earlier, mounts a new
  directory on top of /tmp without assigning root ownership and the sticky bit
  to this new directory, which allows local users to replace or delete
  arbitrary /tmp files, and consequently cause a denial of service or possibly
  gain privileges, by running a setuid application that relies on /tmp, as
  demonstrated by the ksu application.

Comment 1 Sven Vermeulen 2011-07-12 21:12:26 UTC

The version we currently have does not support sandboxes so isn't vulnerable to this. The latest upstream versino (policycoreutils 2.0.85) *is* vulnerable to this as the patch that RedHat has applied (to its 2.0.83 series) isn't applied upstream yet.

I'm checking if I can port the required bits into a nice patch

Comment 2 Sven Vermeulen 2011-07-13 17:01:15 UTC

Even the latest stable userspace tools don't make this a vulnerability for Gentoo (yet) since the sandbox code (in which seunshare is hosted) is not installed on Gentoo. One reason is that Gentoo doesn't support MCS (SELinux Multi-Category Security) yet, something that the SELinux sandbox relies on.

Work on integrating MCS is on the way though, so I might push the latest userspace tools with the patch included (but still without enabling the SELinux sandbox) so that, if we ever get MCS working (and SELinux sandbox) then the patch is at least already present.

Comment 3 Sven Vermeulen 2011-07-13 21:33:38 UTC

Created attachment 280025 [details, diff]
Suggested patch on policycoreutils

This is the patch that is used by Fedora / RedHat to counter this vulnerability (see also https://bugzilla.redhat.com/show_bug.cgi?id=633544). Credits for the patch are with Dan Walsh of RedHat and Thomas Liu of FedoraProject.

The patch is altered a bit to not include all other stuff added by Fedora & RedHat, such as cgroups support.

I did preliminary tests on the patch (does it compile, does the application work) but the patch might see some updates when we actually enable MCS (like I said before, we currently don't support nor can we run with the system settings that are required by sandbox/seunshare).

For now, I'll make sure that the patch is included, but support for sandbox (and thus seunshare) will be disabled, like so:

    # We currently do not support MCS, so the sandbox code in policycoreutils
    # is not usable yet. However, work for MCS is on the way and a reported
    # vulnerability (bug #374897) might go by unnoticed if we ignore it now.
    # As such, we will
    # - prepare support for switching name from "sandbox" to "sesandbox"
    epatch "${FILESDIR}/policycoreutils-2.0.85-sesandbox.patch"
    # - patch the sandbox and seunshare code to fix the vulnerability
    #   (uses, with permission, extract from
    #   http://pkgs.fedoraproject.org/gitweb/?p=policycoreutils.git;a=blob_plain;f=policycoreutils-rhat.patch;hb=HEAD)
    epatch "${FILESDIR}/policycoreutils-2.0.85-fix-seunshare-vuln.patch"
    # But for now, disable building sandbox code
    sed -i -e 's/sandbox //' "${S}/Makefile" || die "failed removing sandbox"

Comment 4 Sean Amoss (RETIRED) gentoo-dev

2012-01-12 15:18:35 UTC

Vulnerable versions have been removed from tree, closing [noglsa].