Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 509896 (CVE-2014-3215) - <sys-apps/policycoreutils-{2.3_rc1-r1,2.2.5-r4}: local privilege escalation via seunshare (CVE-2014-3215)
Summary: <sys-apps/policycoreutils-{2.3_rc1-r1,2.2.5-r4}: local privilege escalation v...
Status: RESOLVED FIXED
Alias: CVE-2014-3215
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-05-09 07:26 UTC by Agostino Sarubbo
Modified: 2014-12-26 19:24 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-05-09 07:26:45 UTC
From ${URL} :

Common Vulnerabilities and Exposures assigned an identifier CVE-2014-3215 to
the following vulnerability:

Name: CVE-2014-3215
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3215
Assigned: 20140503
Reference: http://openwall.com/lists/oss-security/2014/04/29/7
Reference: http://openwall.com/lists/oss-security/2014/04/30/4
Reference: http://openwall.com/lists/oss-security/2014/05/08/1

seunshare in policycoreutils 2.2.5 is owned by root with 4755
permissions, and executes programs in a way that changes the
relationship between the setuid system call and the getresuid saved
set-user-ID value, which makes it easier for local users to gain
privileges by leveraging a program that mistakenly expected that it
could permanently drop privileges.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2014-05-09 16:32:59 UTC
Again seunshare vulnerability? Oh boy; thanks for the heads-up, I'm right on it
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2014-05-09 16:44:31 UTC
We only install if USE="sesandbox" is set up, which isn't done by default.

I'll go through the technical discussion and see what the safest approach is to take.
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2014-05-09 17:35:45 UTC
Okay, there are currently some mitigations already in place.

If you are running our SELinux policy in enforcing mode, and the users are *not* unconfined_t, then the SELinux policy prevents seunshare to work anyway. Apparently the tool (provided by RedHat) is meant to be run by unconfined users. By default, SELinux uses the strict policies.

Second, disabling SELinux controls (or running in permissive) still doesn't work. I have yet to find out why (seunshare exits if it can't drop its privileges, for some reason on my systems that is triggered and the exploit fails). Might be grsecurity related, although I cannot confirm this.

Anyway, the fix by RedHat is two-fold: libcap-ng first needs to be fixed (seems to be in libcap-ng-0.7.4 although RedHat's first attempt at fixing this failed, I have yet to see if Gentoo's libcap-ng-0.7.4 has the fix.

There is a second update in seunshare ready, which I'll look into now.
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2014-05-09 17:47:44 UTC
I'm going to drop sesandbox support (and seunshare) altogether. It doesn't work on Gentoo for quite a few releases apparently, we don't provide the policy and there's actually little use for it.
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2014-05-09 18:44:41 UTC
policycoreutils-2.2.5-r4 and policycoreutils-2.3_rc1-r1 are now available in the tree, ~arch for now, which do not support USE="sesandbox" anymore. Added elog's to the ebuild that the support has been removed, writing up blogpost for this as well.

Stabilization of policycoreutils-2.2.5-r4 will be done soon, servers are running regression tests currently.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev Security 2014-05-09 21:26:29 UTC
Please advise when ready for stabilization.
Comment 7 Sven Vermeulen (RETIRED) gentoo-dev 2014-05-10 13:00:54 UTC
Tests were successful. The policycoreutils-2.2.5-r4 package is now stabilized.
Comment 8 Jason Zaman gentoo-dev 2014-08-03 13:52:18 UTC
Just an update, the userland 2.3 stuff has gone stable now so we can probably start removing the vulnerable ones soon.

See bug: 514194
Comment 9 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-08-03 14:08:02 UTC
yes, we can.
Comment 10 Sven Vermeulen (RETIRED) gentoo-dev 2014-08-09 19:46:47 UTC
Vulnerable versions are no longer in the tree
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-08-19 04:52:27 UTC
CVE-2014-3215 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3215):
  seunshare in policycoreutils 2.2.5 is owned by root with 4755 permissions,
  and executes programs in a way that changes the relationship between the
  setuid system call and the getresuid saved set-user-ID value, which makes it
  easier for local users to gain privileges by leveraging a program that
  mistakenly expected that it could permanently drop privileges.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev Security 2014-08-19 04:54:02 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2014-12-26 19:24:02 UTC
This issue was resolved and addressed in
 GLSA 201412-44 at http://security.gentoo.org/glsa/glsa-201412-44.xml
by GLSA coordinator Yury German (BlueKnight).