[gentoo-announce] [ GLSA 201412-44 ] policycoreutils: Privilege escalation - gentoo-announce

From:	Yury German <blueknight@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] [ GLSA 201412-44 ] policycoreutils: Privilege escalation
Date:	Fri, 26 Dec 2014 19:15:57
Message-Id:	`549DB39C.1040001@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201412-44

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: High

8

    Title: policycoreutils: Privilege escalation

9

     Date: December 26, 2014

10

     Bugs: #509896

11

       ID: 201412-44

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A vulnerability in policycoreutils could lead to local privilege

19

escalation.

20

21

Background

22

==========

23

24

policycoreutils is a collection of SELinux policy utilities.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  sys-apps/policycoreutils

33

                                 < 2.2.5-r4               >= 2.2.5-r4

34

35

Description

36

===========

37

38

The seunshare utility is owned by root with 4755 permissions which can

39

be exploited by a setuid system call.

40

41

Impact

42

======

43

44

A local attacker may be able to gain escalated privileges.

45

46

Workaround

47

==========

48

49

There is no known workaround at this time.

50

51

Resolution

52

==========

53

54

All policycoreutils users should upgrade to the latest version:

55

56

  # emerge --sync

57

  # emerge --ask --oneshot -v ">=sys-apps/policycoreutils-2.2.5-r4"

58

59

References

60

==========

61

62

[ 1 ] CVE-2014-3215

63

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3215

64

65

Availability

66

============

67

68

This GLSA and any updates to it are available for viewing at

69

the Gentoo Security Website:

70

71

 http://security.gentoo.org/glsa/glsa-201412-44.xml

72

73

Concerns?

74

=========

75

76

Security is a primary focus of Gentoo Linux and ensuring the

77

confidentiality and security of our users' machines is of utmost

78

importance to us. Any security concerns should be addressed to

79

security@g.o or alternatively, you may file a bug at

80

https://bugs.gentoo.org.

81

82

License

83

=======

84

85

Copyright 2014 Gentoo Foundation, Inc; referenced text

86

belongs to its owner(s).

87

88

The contents of this document are licensed under the

89

Creative Commons - Attribution / Share Alike license.

90

91

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201412-44
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: policycoreutils: Privilege escalation
9	Date: December 26, 2014
10	Bugs: #509896
11	ID: 201412-44
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A vulnerability in policycoreutils could lead to local privilege
19	escalation.
20
21	Background
22	==========
23
24	policycoreutils is a collection of SELinux policy utilities.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 sys-apps/policycoreutils
33	< 2.2.5-r4 >= 2.2.5-r4
34
35	Description
36	===========
37
38	The seunshare utility is owned by root with 4755 permissions which can
39	be exploited by a setuid system call.
40
41	Impact
42	======
43
44	A local attacker may be able to gain escalated privileges.
45
46	Workaround
47	==========
48
49	There is no known workaround at this time.
50
51	Resolution
52	==========
53
54	All policycoreutils users should upgrade to the latest version:
55
56	# emerge --sync
57	# emerge --ask --oneshot -v ">=sys-apps/policycoreutils-2.2.5-r4"
58
59	References
60	==========
61
62	[ 1 ] CVE-2014-3215
63	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3215
64
65	Availability
66	============
67
68	This GLSA and any updates to it are available for viewing at
69	the Gentoo Security Website:
70
71	http://security.gentoo.org/glsa/glsa-201412-44.xml
72
73	Concerns?
74	=========
75
76	Security is a primary focus of Gentoo Linux and ensuring the
77	confidentiality and security of our users' machines is of utmost
78	importance to us. Any security concerns should be addressed to
79	security@g.o or alternatively, you may file a bug at
80	https://bugs.gentoo.org.
81
82	License
83	=======
84
85	Copyright 2014 Gentoo Foundation, Inc; referenced text
86	belongs to its owner(s).
87
88	The contents of this document are licensed under the
89	Creative Commons - Attribution / Share Alike license.
90
91	http://creativecommons.org/licenses/by-sa/2.5