U radu programskog paketa policycoreutils, namijenjenog operacijskom sustavu Fedora 14, otkriven je sigurnosni nedostatak. Riječ je o paketu koji omogućuje uspostavu mandatornog modela kontrole pristupa (eng. mandatory access controls) na Linux operacijskim sustavima. Nedostatak je posljedica pogrešaka u funkciji "seunshare_mount()" u datoteci "sandbox/seunshare.c". Napadaču omogućuje zamjenu ili brisanje proizvoljnih "/tmp" datoteka, izvođenje DoS napada ili stjecanje većih ovlasti. Korisnicima se savjetuje instalacija odgovarajućih sigurnosnih zakrpa.
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-3043
2011-03-10 20:10:10
--------------------------------------------------------------------------------
Name : policycoreutils
Product : Fedora 14
Version : 2.0.85
Release : 19.fc14
URL : http://www.selinuxproject.org
Summary : SELinux policy core utilities
Description :
Security-enhanced Linux is a feature of the Linux kernel and a number
of utilities with enhanced security functionality designed to add
mandatory access controls to Linux. The Security-enhanced Linux
kernel contains new architectural components originally developed to
improve the security of the Flask operating system. These
architectural components provide general support for the enforcement
of many kinds of mandatory access control policies, including those
based on the concepts of Type EnforcementÂŽ, Role-based Access
Control, and Multi-level Security.
policycoreutils contains the policy core utilities that are required
for basic operation of a SELinux system. These utilities include
load_policy to load policies, setfiles to label filesystems, newrole
to switch roles, and run_init to run /etc/init.d scripts in the proper
context.
--------------------------------------------------------------------------------
Update Information:
This fixes the problem with seunshare causing applications to mistakenly use
the /tmp directory in an unsafe manner.
CVE-2011-1011
--------------------------------------------------------------------------------
ChangeLog:
* Tue Mar 8 2011 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.85-19
- Fix portspage in system-config-selinux to not crash
- More fixes for seunshare from Tomas Hoger
* Tue Mar 8 2011 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.85-18
- put back in old handling of -T in sandbox command
- Put back setsid in seunshare
- Fix rsync to maintain times
* Tue Mar 8 2011 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.85-17
- Use rewritten seunshare from thoger
* Mon Mar 7 2011 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.85-16
- Require python-IPy for policycoreutils-python package
- Fixes for sepologen
- Usage statement needs -n name
- Names with _ are being prevented
- dbus apps should get _chat interface
* Thu Mar 3 2011 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.85-15
- Fix error message in seunshare, check for tmpdir existance before unlink.
* Fri Feb 25 2011 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.85-13
- Rewrite seunshare to make sure /tmp is mounted stickybit owned by root
- Only allow names in polgengui that contain letters and numbers
- Fix up node handling in semanage command
- Update translations
* Wed Feb 9 2011 Fedora Release Engineering <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.>
- 2.0.85-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Thu Feb 3 2011 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.85-11
- Fix sandbox policy creation with udp connect ports
* Thu Feb 3 2011 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.85-10
- Cleaup selinux-polgengui to be a little more modern, fix comments and use
selected name
- Cleanup chcat man page
* Wed Feb 2 2011 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.85-9
- Report full errors on OSError on Sandbox
* Fri Jan 21 2011 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.85-8
- Fix newrole hanlding of pcap
* Wed Jan 19 2011 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.85-7
- Have restorecond watch more directories in homedir
* Fri Jan 14 2011 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.85-6
- Add sandbox to sepolgen
* Thu Jan 6 2011 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.85-4
- Fix proper handling of getopt errors
- Do not allow modules names to contain spaces
* Wed Jan 5 2011 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.85-3
- Polgengui raises the wrong type of exception. #471078
- Change semanage to not allow it to semanage module -D
- Change setsebool to suggest run as root on failure
* Wed Dec 22 2010 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.85-2
- Fix restorecond watching utmp file for people logging in our out
* Tue Dec 21 2010 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.85-1
- Update to upstream
* Thu Dec 16 2010 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.84-5
- Change to allow sandbox to run on nfs homedirs, add start python script
* Wed Dec 15 2010 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.84-4
- Move seunshare to sandbox package
* Mon Nov 29 2010 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.84-3
- Fix sandbox to show correct types in usage statement
* Mon Nov 29 2010 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.84-2
- Stop fixfiles from complaining about missing dirs
* Mon Nov 22 2010 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.84-1
- Update to upstream
- List types available for sandbox in usage statement
* Mon Nov 22 2010 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.83-37
- Don't report error on load_policy when system is disabled.
* Mon Nov 8 2010 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.83-36
- Fix up problems pointed out by solar designer on dropping capabilities
* Mon Nov 1 2010 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.83-35
- Check if you have full privs and reset otherwise dont drop caps
* Mon Nov 1 2010 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.83-34
- Fix setools require line
* Fri Oct 29 2010 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.83-33
- Move /etc/pam.d/newrole in to polcicycoreutils-newrole
- Additiona capability checking in sepolgen
* Mon Oct 25 2010 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.83-32
- Remove setuid flag and replace with file capabilities
- Fix sandbox handling of files with spaces in them
* Wed Sep 29 2010 jkeating - 2.0.83-31
- Rebuilt for gcc bug 634757
* Thu Sep 23 2010 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.83-30
- Move restorecond into its own subpackage
* Thu Sep 23 2010 Dan Walsh <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.0.83-29
- Fix semanage man page
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #674615 - sandbox shows incomplete error messages from exceptions
https://bugzilla.redhat.com/show_bug.cgi?id=674615
[ 2 ] Bug #674945 - chcat man page typo - s/seuser/seusers/
https://bugzilla.redhat.com/show_bug.cgi?id=674945
[ 3 ] Bug #662938 - SELinux is preventing /usr/bin/newrole "setpcap" access
.
https://bugzilla.redhat.com/show_bug.cgi?id=662938
[ 4 ] Bug #665455 - [abrt] policycoreutils-gui-2.0.83-28.fc14:
seobject.py:1936:get_all:TypeError: 'int' object is not iterable
https://bugzilla.redhat.com/show_bug.cgi?id=665455
[ 5 ] Bug #662159 - [abrt] policycoreutils-gui-2.0.83-33.2.fc14:
polgen.py:405:set_init_script:ValueError: Only Daemon apps can use an init
script..
https://bugzilla.redhat.com/show_bug.cgi?id=662159
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update policycoreutils' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke