Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 635888 (CVE-2017-6507) - <sys-apps/apparmor-2.11.1 - restart via init script unloads unknown profiles
Summary: <sys-apps/apparmor-2.11.1 - restart via init script unloads unknown profiles
Alias: CVE-2017-6507
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: ~4 [noglsa cve]
: 636044 (view as bug list)
Depends on:
Reported: 2017-10-30 12:24 UTC by Michael Palimaka (kensington)
Modified: 2017-11-03 14:29 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Michael Palimaka (kensington) gentoo-dev 2017-10-30 12:24:37 UTC
An issue was discovered in AppArmor before 2.12. Incorrect handling of unknown AppArmor profiles in AppArmor init scripts, upstart jobs, and/or systemd unit files allows an attacker to possibly have increased attack surfaces of processes that were intended to be confined by AppArmor. This is due to the common logic to handle 'restart' operations removing AppArmor profiles that aren't found in the typical filesystem locations, such as /etc/apparmor.d/. Userspace projects that manage their own AppArmor profiles in atypical directories, such as what's done by LXD and Docker, are affected by this flaw in the AppArmor init script logic.
Comment 1 Larry the Git Cow gentoo-dev 2017-10-30 12:53:08 UTC
The bug has been referenced in the following commit(s):

commit 9ffa8736aeb1da843ad06f5514fe068f90263f51
Author:     Michael Palimaka <>
AuthorDate: 2017-10-30 12:45:18 +0000
Commit:     Michael Palimaka <>
CommitDate: 2017-10-30 12:52:57 +0000

    sys-apps/apparmor: version bump 2.11.1
    This resolves CVE-2017-6507.
    Package-Manager: Portage-2.3.8, Repoman-2.3.4

 sys-apps/apparmor/Manifest                         |  1 +
 sys-apps/apparmor/apparmor-2.11.1.ebuild           | 60 ++++++++++++++++++++++
 .../files/apparmor-2.11.1-dynamic-link.patch       | 11 ++++
 3 files changed, 72 insertions(+)}
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-31 14:45:57 UTC
*** Bug 636044 has been marked as a duplicate of this bug. ***
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-31 16:07:29 UTC
Thank you, Michael, please let us know when tree is clean.
Comment 4 Michael Palimaka (kensington) gentoo-dev 2017-11-03 14:00:02 UTC
Cleanup done.
Comment 5 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-03 14:29:46 UTC
Thank you