OpenSuSE has issued an advisory today (May 30): http://lists.opensuse.org/opensuse-updates/2014-05/msg00084.html The issue is fixed upstream in 0.7.4 (which is in Cauldron). Patched packages uploaded for Mageia 3 and Mageia 4. Note that this is marked as critical for us based on RedHat's bug, rather than low as OpenSuSE did, because unlike OpenSuSE, our /sbin/seunshare binary in policycoreutils is SUID root. Here's RedHat's bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3215 Advisory: ======================== Updated libcap-ng packages fix security vulnerability: capng_lock() in libcap-ng before 0.7.4 sets securebits in an attempt to prevent regaining capabilities using setuid-root programs. This allows a user to run setuid programs, such as seunshare from policycoreutils, as uid 0 but without capabilities, which is potentially dangerous (CVE-2014-3215). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3215 http://lists.opensuse.org/opensuse-updates/2014-05/msg00084.html ======================== Updated packages in core/updates_testing: ======================== libcap-ng0-0.7.3-2.1.mga3 libcap-ng-devel-0.7.3-2.1.mga3 python-libcap-ng-0.7.3-2.1.mga3 libcap-ng-utils-0.7.3-2.1.mga3 libcap-ng0-0.7.3-3.1.mga4 libcap-ng-devel-0.7.3-3.1.mga4 python-libcap-ng-0.7.3-3.1.mga4 libcap-ng-utils-0.7.3-3.1.mga4 from SRPMS: libcap-ng-0.7.3-2.1.mga3.src.rpm libcap-ng-0.7.3-3.1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
There was a tl;dr thread about this recently on oss-security: http://openwall.com/lists/oss-security/2014/04/29/7
URL: (none) => http://lwn.net/Vulnerabilities/600797/
Testing with the PoC from the openwall link in comment 1 Saved as sesploit.c and compiled with gcc -o sesploit sesploit.c $ ./sesploit Dropped privs; real uid is 500 and effective uid is 500 Phew, safe. $ /usr/sbin/seunshare -t . `realpath ./sesploit` Dropped privs; real uid is 500 and effective uid is 500 Phew, safe. Not showing vulnerable with this exploit but we can use it anyway with strace to show seunshare (from package policycoreutils-sandbox) using the updated libcap-ng $ strace -o strace.out /usr/sbin/seunshare -t . `realpath ./sesploit` $ grep cap strace.out open("/lib64/libcap-ng.so.0", O_RDONLY|O_CLOEXEC) = 3 Testing complete mga4 64
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok
Testing complete mga3 32
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-64-ok
Testing complete mga3 64
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok
Testing complete mga4 32
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0251.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED