[pkg-apparmor] Bug#858768: apparmor: CVE-2017-6507

intrigeri intrigeri at debian.org
Tue Mar 28 12:27:35 UTC 2017


Hi,

Antoine Beaupre:
> Jessie, on the other hand, does not seem to be vulnerable:

>From my reading of the code, it seems that Wheezy, Jessie and Stretch
are all vulnerable, but only when using sysvinit. I've just fixed this
issue in sid, and filed an unblock request for Stretch.

But systems running systemd should not be vulnerable, as systemd
doesn't use the "restart" action of initscripts: instead, it runs
"stop" then "start". And the "stop" action in /etc/init.d/apparmor
does not unload profiles (since 2.1+961-0ubuntu2 according to the
changelog). I think this explains why Antoine could not reproduce the
problem on Jessie.

Salvatore: with this in mind, do you think we should fix this problem
in Jessie? If yes, with a DSA or jessie-pu?

Ola: the minimal fix for Wheezy is to cherry-pick the part of r1624
(in Vcs-Bzr) that removes calls to unload_obsolete_profiles, ignoring
the bits about aa-remove-unknown:
https://alioth.debian.org/scm/loggerhead/collab-maint/apparmor/revision/1624

Cheers,
-- 
intrigeri



More information about the pkg-apparmor-team mailing list