Bug 22890

Summary: policycoreutils new security issue CVE-2018-1063
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, mageia, marja11, ngompa13, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: policycoreutils-2.5-11.mga7.src.rpm CVE: CVE-2018-1063
Status comment:

Description David Walser 2018-04-10 19:34:51 CEST 
RedHat has issued an advisory today (April 10):
https://access.redhat.com/errata/RHSA-2018:0913

We don't actually support SELinux, so we probably don't need to update this for Mageia 6, but we should at least fix it in Cauldron.
Marja Van Waes 2018-04-12 09:48:34 CEST

CC: (none) => marja11
Assignee: bugsquad => basesystem

David Walser 2018-05-04 08:41:13 CEST

Status comment: (none) => Patch available from CentOS

Comment 1 David Walser 2019-01-01 04:12:59 CET 
Looking more closely, it looks like the easiest way to fix it would be to update to 2.8 (synced with Fedora).

CC: (none) => ngompa13

David Walser 2019-06-23 19:26:02 CEST

Whiteboard: (none) => MGA7TOO

Comment 2 Nicolas Lécureuil 2020-12-27 00:28:16 CET 
fixed in cauldron and mga7
src:
    policycoreutils-2.5-14.1.mga7

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Assignee: basesystem => qa-bugs
CC: (none) => mageia

Comment 3 David Walser 2020-12-27 00:44:52 CET 
Advisory:
========================

Updated policycoreutils packages fix security vulnerability:

Context relabeling of filesystems is vulnerable to symbolic link attack,
allowing a local, unprivileged malicious entity to change the SELinux context
of an arbitrary file to a context with few restrictions. This only happens when
the relabeling process is done, usually when taking SELinux state from disabled
to enable (permissive or enforcing) (CVE-2018-1063).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1063
https://access.redhat.com/errata/RHSA-2018:0913
========================

Updated packages in core/updates_testing:
========================
policycoreutils-2.5-14.1.mga7
policycoreutils-debugsource-2.5-14.1.mga7
policycoreutils-python-utils-2.5-14.1.mga7
policycoreutils-python3-2.5-14.1.mga7
policycoreutils-python-2.5-14.1.mga7
libpolicycoreutils-devel-2.5-14.1.mga7
policycoreutils-sandbox-2.5-14.1.mga7
policycoreutils-newrole-2.5-14.1.mga7
policycoreutils-gui-2.5-14.1.mga7
policycoreutils-restorecond-2.5-14.1.mga7

from policycoreutils-2.5-14.1.mga7.src.rpm

Status comment: Patch available from CentOS => (none)

Comment 4 Thomas Andrews 2021-01-15 18:28:25 CET 
Installed policycoreutils, and ran the guis without actually doing anything.

Used QA Repo to get the updated packages. No installation issues.

Ran the guis again, and they looked and acted the same as before the update.

Since we don't actively support SELinux, and this vulnerability was reported nearly three years ago, it's time to move this along. Validating with my simple test. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-64-OK

Comment 5 Aurelien Oudelet 2021-01-17 15:17:52 CET 
Advisory pushed to SVN.

CVE: (none) => CVE-2018-1063
CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-01-17 17:08:22 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0032.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED