Bug 19463

Summary: policycoreutils new security issue CVE-2016-7545
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: marja11, mhrambo3501, thomas
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/701921/
Whiteboard:
Source RPM: policycoreutils-2.3-8.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-09-26 20:59:33 CEST 
A security issue in policycoreutils has been announced:
http://www.openwall.com/lists/oss-security/2016/09/25/1

I added the upstream fix in Cauldron already.

I don't know if we need to update this for Mageia 5, since we don't support SELinux.
Comment 1 Marja Van Waes 2016-09-27 10:42:35 CEST 
(In reply to David Walser from comment #0)
> A security issue in policycoreutils has been announced:
> http://www.openwall.com/lists/oss-security/2016/09/25/1
> 
> I added the upstream fix in Cauldron already.
> 
> I don't know if we need to update this for Mageia 5, since we don't support
> SELinux.

Assigning to all packagers collectively, for more opinions.

CC: (none) => marja11, thomas
Assignee: bugsquad => pkg-bugs

Comment 2 Mike Rambo 2016-11-11 15:33:13 CET 
Installing policycoreutils-python which provides /usr/bin/sandbox is not enough to make this exploitable.

$ /usr/bin/sandbox ./test
Traceback (most recent call last):
  File "/usr/bin/sandbox", line 24, in <module>
    import selinux
ImportError: No module named selinux

So unless there is an selinux module to load this does not look like it can be exploited. To this novice this does not look like a problem for mga5.

CC: (none) => mrambo

Comment 3 David Walser 2016-11-11 17:35:23 CET 
That sounds right.  Thanks Mike.

Status: NEW => RESOLVED
Version: 5 => Cauldron
Resolution: (none) => FIXED