Bugzilla – Bug 662928
VUL-0: apparmor-parser: parser could generate policy using an unconfined fallback execute transition
Last modified: 2011-03-31 08:28:06 UTC
Hi. There is a security bug in package 'apparmor-parser'. This bug is public. There is no coordinated release date (CRD) set. More information can be found here: https://launchpad.net/bugs/693082 Original posting: ---------- Weitergeleitete Nachricht ---------- Betreff: [Full-disclosure] [USN-1039-1] AppArmor update Datum: Freitag 07 Januar 2011 Von: Jamie Strandboge <jamie@canonical.com> An: ubuntu-security-announce@lists.ubuntu.com =========================================================== Ubuntu Security Notice USN-1039-1 January 07, 2011 apparmor update https://launchpad.net/bugs/693082 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.10: apparmor 2.3.1+1403-0ubuntu27.4 Ubuntu 10.04 LTS: apparmor 2.5.1-0ubuntu0.10.04.2 Ubuntu 10.10: apparmor 2.5.1-0ubuntu0.10.10.3 In general, a standard system update will make all the necessary changes. Details follow: It was discovered that if AppArmor was misconfigured, under certain circumstances the parser could generate policy using an unconfined fallback execute transition when one was not specified. ..
Committed to openSUSE:Factory (whenever AppArmor 2.5 is accepted). Committed to openSUSE 11.3 - SR 57760 Committed to openSUSE 11.2 - SR 57759 Committed to SLES11 SP1 - SR 9994 Earlier releases are unaffected since the feature wasn't available until AppArmor 2.3. Can I get a SWAMP ID for this?
-> secteam for swamp
The SWAMPID for this issue is 38139. This issue was rated as important. Please submit fixed packages until 2011-01-18. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
p5->p3 mass change
Hi Jeff, can you add the fix for bnc#634801 to apparmor-parser and resubmit the package please? Do we need to release apparmor-profiles then too? (bnc#634801 in its changes file)
bnc#634801 doesn't affect apparmor-parser - it only affects apparmor-profiles.
Thanks for clarifying.
I need some assistance to create a test case for this. I have read https://bugs.launchpad.net/apparmor/+bug/693082 and created the following profile: cat <<'EOF' > /etc/apparmor.d/usr.bin.mytestapp /usr/bin/mytestapp flags=(complain) { /usr/bin/mytestapp rm, /usr/bin/printf Pux, /usr/bin/vi Px, } EOF But I get: boxer:~ # apparmor_parser --reload < /etc/apparmor.d/usr.bin.mytestapp AppArmor parser error, line 3: syntax error, unexpected TOK_ID, expecting TOK_MODE P does seem to work together with ux. Please advise.
sorry, what I meant was: P does NOT seem to work together with ux.
What release are you testing with?
I am using apparmor-parser-2.3.1-8.14.9 from SLES11 SP1 GM and apparmor-parser-2.3.1-8.16.10 from the test update Products: SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64), SLE-DESKTOP 11-SP1 (i386, x86_64), SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64), SLES4VMWARE 11-SP1 (i386, x86_64) Category: security SAT Patch No: 3966 MD5 sum: 7a9acb6610b9b4755f205d9ae5c3ad07 SUBSWAMPID: 38740 Packager: jeffm@novell.com Packages: apparmor-parser >= 2.3.1-8.16.10
I have tried to test cases that are embedded in this new release: make tests """ perl ./gen-xtrans.pl Generated 10816 xtransition interaction tests make -C .. apparmor_parser make[1]: Entering directory `/tmp/swamp-38740/BUILD/apparmor-parser-2.3.1' /usr/bin/bison -d -o parser_yacc.c parser_yacc.y parser_yacc.y:214.10-22: warning: type clash on default action: <cod> != <> parser_yacc.y: conflicts: 1 shift/reduce /usr/bin/flex -B -v -oparser_lex.c parser_lex.l ... make[1]: Leaving directory `/tmp/swamp-38740/BUILD/apparmor-parser-2.3.1' /usr/bin/prove simple.pl simple....ok All tests successful. Files=1, Tests=11098, 21 wallclock secs ( 8.00 cusr + 3.29 csys = 11.29 CPU) """ -> looks good however, I am still curious what is wrong about the test case in comment #8 ...
Ok, it turns out my analysis about our vulnerability was premature. That should have been clear to me when I modified the test case. The patch is safe but unnecessary. Ubuntu's 2.3 implementation was vulnerable because they backported pux support from the upstream repo. We didn't do that so we're not vulnerable.
so we can cancel the sle11 update
Update released for: apparmor-parser, apparmor-parser-debuginfo, apparmor-parser-debugsource Products: openSUSE 11.2 (debug, i586, x86_64) openSUSE 11.3 (debug, i586, x86_64)
released