[Secure-testing-team] Bug#858768: apparmor: CVE-2017-6507
Salvatore Bonaccorso
carnil at debian.org
Sun Mar 26 11:48:40 UTC 2017
Source: apparmor
Version: 2.11.0-2
Severity: important
Tags: security upstream
Forwarded: https://launchpad.net/bugs/1668892
Hi,
the following vulnerability was published for apparmor.
CVE-2017-6507[0]:
| An issue was discovered in AppArmor before 2.12. Incorrect handling of
| unknown AppArmor profiles in AppArmor init scripts, upstart jobs,
| and/or systemd unit files allows an attacker to possibly have increased
| attack surfaces of processes that were intended to be confined by
| AppArmor. This is due to the common logic to handle 'restart'
| operations removing AppArmor profiles that aren't found in the typical
| filesystem locations, such as /etc/apparmor.d/. Userspace projects that
| manage their own AppArmor profiles in atypical directories, such as
| what's done by LXD and Docker, are affected by this flaw in the
| AppArmor init script logic.
This should affect as well apparmor as used in Debian as "The
Debian/Ubuntu packaging for the apparmor package is also affected by
this flaw as it attempts to restart AppArmor when configuring a new
AppArmor package."
But I'm not sure if we need to release a DSA for this issue, I'm not
too familiar with apparmor. As I'm not sure what other project apart
LXD and Docker might use profiles in atypical directory.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-6507
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6507
[1] https://launchpad.net/bugs/1668892
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Secure-testing-team
mailing list