[pkg-apparmor] Bug#929990: Bug#929990: apparmor: CVE-2016-1585: mount rules grant excessive permissions
intrigeri
intrigeri at debian.org
Wed May 24 10:22:29 BST 2023
Hi,
Salvatore Bonaccorso (2019-06-04):
> The following vulnerability was published for apparmor. This is
> already siscussed in the upstream bug, so this bug is really to track
> the 'downstream' status for us in the Debian BTS. Would technically
> not be needed but opted to fill a bug still in the Debian BTS for it.
> intrigeri has already explained the siutation in the upstream bug.
>
> CVE-2016-1585[0]:
> | In all versions of AppArmor mount rules are accidentally widened when
> | compiled.
Upstream has fixed this:
- 2.13.x (Bullseye):
https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.13.8
I propose we don't fix this in Bullseye: my rationale for treating
this as unimportant still applies, and with Bullseye released
2 years ago, I'd rather not take the risk of breaking anything
there to fix a not-so-important issue.
- 3.0.y (Bookworm):
https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.10
I'd like to cherry-pick the fix to Bookworm, either via a security
upload or a point-release, at some point in 2023 Q3: given Bookworm
will still be brand new and users' expectations have not been set
in stone yet, IMO the benefits of fixing this bug, and thus having
mount rules behave as documented, outweighs the minimal risk.
I would welcome feedback on these 2 proposals, in particular from
security team members :)
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list