Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 635888 (CVE-2017-6507)

Summary: <sys-apps/apparmor-2.11.1 - restart via init script unloads unknown profiles
Product: Gentoo Security Reporter: Michael Palimaka (kensington) <kensington>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: glsamaker, hardened, kensington
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~4 [noglsa cve]
Package list:
Runtime testing required: ---

Description Michael Palimaka (kensington) gentoo-dev 2017-10-30 12:24:37 UTC 
An issue was discovered in AppArmor before 2.12. Incorrect handling of unknown AppArmor profiles in AppArmor init scripts, upstart jobs, and/or systemd unit files allows an attacker to possibly have increased attack surfaces of processes that were intended to be confined by AppArmor. This is due to the common logic to handle 'restart' operations removing AppArmor profiles that aren't found in the typical filesystem locations, such as /etc/apparmor.d/. Userspace projects that manage their own AppArmor profiles in atypical directories, such as what's done by LXD and Docker, are affected by this flaw in the AppArmor init script logic.
Comment 1 Larry the Git Cow gentoo-dev 2017-10-30 12:53:08 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9ffa8736aeb1da843ad06f5514fe068f90263f51

commit 9ffa8736aeb1da843ad06f5514fe068f90263f51
Author:     Michael Palimaka <kensington@gentoo.org>
AuthorDate: 2017-10-30 12:45:18 +0000
Commit:     Michael Palimaka <kensington@gentoo.org>
CommitDate: 2017-10-30 12:52:57 +0000

    sys-apps/apparmor: version bump 2.11.1
    
    This resolves CVE-2017-6507.
    
    Bug: https://bugs.gentoo.org/635888
    Package-Manager: Portage-2.3.8, Repoman-2.3.4

 sys-apps/apparmor/Manifest                         |  1 +
 sys-apps/apparmor/apparmor-2.11.1.ebuild           | 60 ++++++++++++++++++++++
 .../files/apparmor-2.11.1-dynamic-link.patch       | 11 ++++
 3 files changed, 72 insertions(+)}
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-31 14:45:57 UTC 
*** Bug 636044 has been marked as a duplicate of this bug. ***
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-31 16:07:29 UTC 
Thank you, Michael, please let us know when tree is clean.
Comment 4 Michael Palimaka (kensington) gentoo-dev 2017-11-03 14:00:02 UTC 
Cleanup done.
Comment 5 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-03 14:29:46 UTC 
Thank you