Hello community, here is the log from the commit of package policycoreutils for openSUSE:Factory checked in at 2017-06-30 18:42:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/policycoreutils (Old) and /work/SRC/openSUSE:Factory/.policycoreutils.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "policycoreutils" Fri Jun 30 18:42:49 2017 rev:41 rq:507122 version:2.5 Changes: -------- --- /work/SRC/openSUSE:Factory/policycoreutils/policycoreutils.changes 2016-08-05 18:16:35.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.policycoreutils.new/policycoreutils.changes 2017-06-30 18:43:44.570478466 +0200 @@ -1,0 +2,6 @@ +Mon Dec 19 07:21:22 UTC 2016 - jsegitz@novell.com + +- Added CVE-2016-7545_sandbox_escape.patch to fix CVE-2016-7545, bsc#1000998 + Sandboxed session could have escaped to the parent session + +------------------------------------------------------------------- New: ---- CVE-2016-7545_sandbox_escape.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ policycoreutils.spec ++++++ --- /var/tmp/diff_new_pack.38zjuk/_old 2017-06-30 18:43:45.290377208 +0200 +++ /var/tmp/diff_new_pack.38zjuk/_new 2017-06-30 18:43:45.294376645 +0200 @@ -1,7 +1,7 @@ # # spec file for package policycoreutils # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -40,6 +40,7 @@ Patch4: policycoreutils-initscript.patch Patch5: policycoreutils-pam-common.patch Patch10: loadpolicy_path.patch +Patch11: CVE-2016-7545_sandbox_escape.patch BuildRequires: audit-devel >= %{libaudit_ver} BuildRequires: dbus-1-glib-devel BuildRequires: fdupes @@ -108,7 +109,6 @@ Group: Productivity/Security Requires: policycoreutils-python = %{version} Requires: xorg-x11-server-extra -# Requires: matchbox-window-manager %description sandbox The sandbox package contains the scripts to create graphical sandboxes. @@ -127,8 +127,6 @@ Summary: SELinux configuration GUI Group: Productivity/Security Requires: policycoreutils-python = %{version} -# Requires: gnome-python2-canvas -# Requires: usermode-gtk Requires: python Requires: python-gnome Requires: python-gtk @@ -143,9 +141,7 @@ %patch4 %patch5 %patch10 -p1 -# sleep 5 -# touch po/policycoreutils.pot -# sleep 5 +%patch11 -p1 %build export SUSE_ASNEEDED=0 ++++++ CVE-2016-7545_sandbox_escape.patch ++++++ Index: policycoreutils-2.5/sandbox/sandbox =================================================================== --- policycoreutils-2.5.orig/sandbox/sandbox 2016-02-23 17:31:41.000000000 +0100 +++ policycoreutils-2.5/sandbox/sandbox 2016-12-19 08:20:38.507223657 +0100 @@ -467,10 +467,15 @@ sandbox [-h] [-l level ] [-[X|M] [-H hom cmds += ["--"] + self.__paths return subprocess.Popen(cmds).wait() - selinux.setexeccon(self.__execcon) - rc = subprocess.Popen(self.__cmds).wait() - selinux.setexeccon(None) - return rc + pid = os.fork() + if pid == 0: + rc = os.setsid() + if rc: + return rc + selinux.setexeccon(self.__execcon) + os.execv(self.__cmds[0], self.__cmds) + rc = os.waitpid(pid, 0) + return os.WEXITSTATUS(rc[1]) finally: for i in self.__paths: