Date: Mon, 12 May 2014 10:34:00 -0700 From: Andy Lutomirski <luto@...capital.net> To: oss-security@...ts.openwall.com Subject: CVE Request: seunshare and setexeccon issues I think that the fallout for the seunshare stuff is now well-understood enough for CVE requests. As previously discussed, some combinations of seunshare and libcap-ng can allow sendmail capabilities bug-style privilege escalation. This was cased by capng_lock enabling securebits without using PR_SET_NO_NEW_PRIVS. This seems to be fixed in the latest cap-ng.* That fixes causes a regression in policycoreutils' sandbox program; the fix for that regression is making its way upstream. The related issue is that Linux will silently ignore setexeccon if the subsequent execve call runs something from a nosuid mount. This can cause unexpected failures to enforce SELinux policy. This is probably a low-impact issue. Changes to fix this issue have been discussed, but no patch has been sent yet. The latter issue causes using policycoreutils' sandbox tool on a binary that is on a nosuid mount to fail open; no error will be reported, but the sandbox policy will not be enforced. This is worked around in Fedora and related distros as a side effect of the regression fix for the capng_lock issue. I'm not sure how many CVE numbers should be assigned here. As far as I know, none have been assigned so far. * Combinations of new cap-ng and very old kernels may still be unsafe. --Andy
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ