[Git][security-tracker-team/security-tracker][master] Update information on CVE-2016-1585/apparmor

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7790774e by Salvatore Bonaccorso at 2019-05-05T07:20:03Z
Update information on CVE-2016-1585/apparmor

The issue is still unresolved but the overall imapct in Debian is
limited.

As confirmed by the AppArmor maintainers in Debian, this issue only
affects overall two things (in Debian):

 1. lxc. This is not a regression, since we never confined LXC with
    AppArmor by default before buster (And stretch kernel does not have
    support for mount rules). This means that in worst case buster hosts
    are less strict confined as ideally they would be as mount rules are
    supported.

 2. libvirtd. This is not a big deal, as the profile used for libvirtd
    is not meant to be a strong security boundary (libvirtd can do so
    much anyway), but rather as a way to start processes run by libvirtd
    under their own profile.

For this reasons it can be safely no-dsa (and stronger ignored) for
stretch, probably as well for buster.

The same reason probably can be applied to jessie, as it contains
apparmor >= 2.8.

Thanks: intrigeri

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -162311,10 +162311,15 @@ CVE-2016-1587 (The Snapweb interface before version 0.21.2 was exposing controls
 CVE-2016-1586 (A malicious webview could install long-lived unload handlers that re-u ...)
 	NOT-FOR-US: Oxide
 CVE-2016-1585 (In all versions of AppArmor mount rules are accidentally widened when  ...)
-	- apparmor <undetermined>
+	- apparmor <unfixed>
+	[stretch] - apparmor <ignored> (Minor overall security impact)
 	NOTE: https://bugs.launchpad.net/apparmor/+bug/1597017
-	NOTE: 20190504: Requested more information from upstream. (apo)
-	TODO: check
+	NOTE: https://bugzilla.opensuse.org/show_bug.cgi?id=995594
+	NOTE: Introduced around AppArmor 2.8 upstream.
+	NOTE: Mount rules support is enabled in Debian, but the impact of the issue is
+	NOTE: limited to 1. lxc (not a regression, as Debian never confined LXC with AppArmor
+	NOTE: by default before buster, in particular not with mount rules), 2. libvirtd
+	NOTE: but the profile is not meant to be a strong security boundary.
 CVE-2016-1584 (In all versions of Unity8 a running but not active application on a la ...)
 	TODO: check
 CVE-2016-1583 (The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the  ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7790774e9d489c7ee4024dfeea41cb46218369e6

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7790774e9d489c7ee4024dfeea41cb46218369e6
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190505/2e3eccbb/attachment.html>