Bug 662928

Summary: VUL-0: apparmor-parser: parser could generate policy using an unconfined fallback execute transition
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: GeneralAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: heiko.rommel, jeffm, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: .
Found By: Development Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Deadline: 2011-01-18   

Description Thomas Biege 2011-01-07 08:20:19 UTC 
Hi.
There is a security bug in package 'apparmor-parser'.

This bug is public.

There is no coordinated release date (CRD) set.

More information can be found here:
	https://launchpad.net/bugs/693082


Original posting:



----------  Weitergeleitete Nachricht  ----------

Betreff: [Full-disclosure] [USN-1039-1] AppArmor update
Datum: Freitag 07 Januar 2011
Von: Jamie Strandboge <jamie@canonical.com>
An: ubuntu-security-announce@lists.ubuntu.com

===========================================================
Ubuntu Security Notice USN-1039-1          January 07, 2011
apparmor update
https://launchpad.net/bugs/693082
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 9.10
Ubuntu 10.04 LTS
Ubuntu 10.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 9.10:
  apparmor                        2.3.1+1403-0ubuntu27.4

Ubuntu 10.04 LTS:
  apparmor                        2.5.1-0ubuntu0.10.04.2

Ubuntu 10.10:
  apparmor                        2.5.1-0ubuntu0.10.10.3

In general, a standard system update will make all the necessary changes.

Details follow:

It was discovered that if AppArmor was misconfigured, under certain
circumstances the parser could generate policy using an unconfined fallback
execute transition when one was not specified.

..
Comment 1 Jeff Mahoney 2011-01-10 20:32:36 UTC 
Committed to openSUSE:Factory (whenever AppArmor 2.5 is accepted).

Committed to openSUSE 11.3 - SR 57760
Committed to openSUSE 11.2 - SR 57759

Committed to SLES11 SP1 - SR 9994

Earlier releases are unaffected since the feature wasn't available until AppArmor 2.3.

Can I get a SWAMP ID for this?
Comment 2 Marcus Meissner 2011-01-11 13:09:29 UTC 
-> secteam for swamp
Comment 3 Swamp Workflow Management 2011-01-11 15:05:20 UTC 
The SWAMPID for this issue is 38139.
This issue was rated as important.
Please submit fixed packages until 2011-01-18.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 4 Thomas Biege 2011-01-14 11:07:20 UTC 
p5->p3 mass change
Comment 5 Thomas Biege 2011-02-16 10:04:32 UTC 
Hi Jeff,
can you add the fix for bnc#634801 to apparmor-parser and resubmit the package please? Do we need to release apparmor-profiles then too? (bnc#634801 in its changes file)
Comment 6 Jeff Mahoney 2011-02-16 15:04:18 UTC 
bnc#634801 doesn't affect apparmor-parser - it only affects apparmor-profiles.
Comment 7 Thomas Biege 2011-02-17 10:12:09 UTC 
Thanks for clarifying.
Comment 8 Heiko Rommel 2011-03-10 15:00:17 UTC 
I need some assistance to create a test case for this.

I have read https://bugs.launchpad.net/apparmor/+bug/693082 and created the following profile:

cat <<'EOF' > /etc/apparmor.d/usr.bin.mytestapp
/usr/bin/mytestapp flags=(complain) {
 /usr/bin/mytestapp rm,
 /usr/bin/printf Pux,
 /usr/bin/vi Px,
}
EOF

But I get:

boxer:~ # apparmor_parser --reload < /etc/apparmor.d/usr.bin.mytestapp
AppArmor parser error, line 3: syntax error, unexpected TOK_ID, expecting TOK_MODE

P does seem to work together with ux.

Please advise.
Comment 9 Heiko Rommel 2011-03-10 16:19:06 UTC 
sorry, what I meant was:
P does NOT seem to work together with ux.
Comment 10 Jeff Mahoney 2011-03-14 17:41:07 UTC 
What release are you testing with?
Comment 11 Heiko Rommel 2011-03-16 09:10:18 UTC 
I am using
apparmor-parser-2.3.1-8.14.9 from SLES11 SP1 GM 
and 
apparmor-parser-2.3.1-8.16.10 from the test update

Products: SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64), SLE-DESKTOP 11-SP1 (i386, x86_64), SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64), SLES4VMWARE 11-SP1 (i386, x86_64)
Category: security
SAT Patch No: 3966
MD5 sum: 7a9acb6610b9b4755f205d9ae5c3ad07
SUBSWAMPID: 38740
Packager: jeffm@novell.com
Packages: apparmor-parser >= 2.3.1-8.16.10
Comment 12 Heiko Rommel 2011-03-29 13:54:00 UTC 
I have tried to test cases that are embedded in this new release:

make tests

"""
perl ./gen-xtrans.pl
Generated 10816 xtransition interaction tests
make -C .. apparmor_parser
make[1]: Entering directory `/tmp/swamp-38740/BUILD/apparmor-parser-2.3.1'
/usr/bin/bison -d -o parser_yacc.c parser_yacc.y
parser_yacc.y:214.10-22: warning: type clash on default action: <cod> != <>
parser_yacc.y: conflicts: 1 shift/reduce
/usr/bin/flex -B -v -oparser_lex.c parser_lex.l
...
make[1]: Leaving directory `/tmp/swamp-38740/BUILD/apparmor-parser-2.3.1'
/usr/bin/prove  simple.pl
simple....ok
All tests successful.
Files=1, Tests=11098, 21 wallclock secs ( 8.00 cusr +  3.29 csys = 11.29 CPU)
"""

-> looks good

however, I am still curious what is wrong about the test case in comment #8 ...
Comment 13 Jeff Mahoney 2011-03-29 15:01:53 UTC 
Ok, it turns out my analysis about our vulnerability was premature. That should have been clear to me when I modified the test case.

The patch is safe but unnecessary. Ubuntu's 2.3 implementation was vulnerable because they backported pux support from the upstream repo. We didn't do that so we're not vulnerable.
Comment 14 Ludwig Nussel 2011-03-30 07:12:54 UTC 
so we can cancel the sle11 update
Comment 15 Swamp Workflow Management 2011-03-31 08:26:20 UTC 
Update released for: apparmor-parser, apparmor-parser-debuginfo, apparmor-parser-debugsource
Products:
openSUSE 11.2 (debug, i586, x86_64)
openSUSE 11.3 (debug, i586, x86_64)
Comment 16 Ludwig Nussel 2011-03-31 08:27:52 UTC 
released