Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 12 May 2014 10:34:00 -0700
From: Andy Lutomirski <luto@...capital.net>
To: oss-security@...ts.openwall.com
Subject: CVE Request: seunshare and setexeccon issues

I think that the fallout for the seunshare stuff is now
well-understood enough for CVE requests.

As previously discussed, some combinations of seunshare and libcap-ng
can allow sendmail capabilities bug-style privilege escalation.  This
was cased by capng_lock enabling securebits without using
PR_SET_NO_NEW_PRIVS.  This seems to be fixed in the latest cap-ng.*
That fixes causes a regression in policycoreutils' sandbox program;
the fix for that regression is making its way upstream.

The related issue is that Linux will silently ignore setexeccon if the
subsequent execve call runs something from a nosuid mount.  This can
cause unexpected failures to enforce SELinux policy.  This is probably
a low-impact issue.  Changes to fix this issue have been discussed,
but no patch has been sent yet.

The latter issue causes using policycoreutils' sandbox tool on a
binary that is on a nosuid mount to fail open; no error will be
reported, but the sandbox policy will not be enforced.  This is worked
around in Fedora and related distros as a side effect of the
regression fix for the capng_lock issue.

I'm not sure how many CVE numbers should be assigned here.  As far as
I know, none have been assigned so far.


* Combinations of new cap-ng and very old kernels may still be unsafe.

--Andy

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ