22890 – policycoreutils new security issue CVE-2018-1063

Bug 22890 - policycoreutils new security issue CVE-2018-1063

Summary: policycoreutils new security issue CVE-2018-1063

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2018-04-10 19:34 CEST by David Walser
Modified:	2021-01-17 17:08 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	policycoreutils-2.5-11.mga7.src.rpm
CVE:	CVE-2018-1063
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-04-10 19:34:51 CEST

RedHat has issued an advisory today (April 10):
https://access.redhat.com/errata/RHSA-2018:0913

We don't actually support SELinux, so we probably don't need to update this for Mageia 6, but we should at least fix it in Cauldron.

Marja Van Waes 2018-04-12 09:48:34 CEST

CC: (none) => marja11
Assignee: bugsquad => basesystem

David Walser 2018-05-04 08:41:13 CEST

Status comment: (none) => Patch available from CentOS

Comment 1 David Walser 2019-01-01 04:12:59 CET

Looking more closely, it looks like the easiest way to fix it would be to update to 2.8 (synced with Fedora).

CC: (none) => ngompa13

David Walser 2019-06-23 19:26:02 CEST

Whiteboard: (none) => MGA7TOO

Comment 2 Nicolas Lécureuil 2020-12-27 00:28:16 CET

fixed in cauldron and mga7
src:
    policycoreutils-2.5-14.1.mga7

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Assignee: basesystem => qa-bugs
CC: (none) => mageia

Comment 3 David Walser 2020-12-27 00:44:52 CET

Advisory:
========================

Updated policycoreutils packages fix security vulnerability:

Context relabeling of filesystems is vulnerable to symbolic link attack,
allowing a local, unprivileged malicious entity to change the SELinux context
of an arbitrary file to a context with few restrictions. This only happens when
the relabeling process is done, usually when taking SELinux state from disabled
to enable (permissive or enforcing) (CVE-2018-1063).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1063
https://access.redhat.com/errata/RHSA-2018:0913
========================

Updated packages in core/updates_testing:
========================
policycoreutils-2.5-14.1.mga7
policycoreutils-debugsource-2.5-14.1.mga7
policycoreutils-python-utils-2.5-14.1.mga7
policycoreutils-python3-2.5-14.1.mga7
policycoreutils-python-2.5-14.1.mga7
libpolicycoreutils-devel-2.5-14.1.mga7
policycoreutils-sandbox-2.5-14.1.mga7
policycoreutils-newrole-2.5-14.1.mga7
policycoreutils-gui-2.5-14.1.mga7
policycoreutils-restorecond-2.5-14.1.mga7

from policycoreutils-2.5-14.1.mga7.src.rpm

Status comment: Patch available from CentOS => (none)

Comment 4 Thomas Andrews 2021-01-15 18:28:25 CET

Installed policycoreutils, and ran the guis without actually doing anything.

Used QA Repo to get the updated packages. No installation issues.

Ran the guis again, and they looked and acted the same as before the update.

Since we don't actively support SELinux, and this vulnerability was reported nearly three years ago, it's time to move this along. Validating with my simple test. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-64-OK

Comment 5 Aurelien Oudelet 2021-01-17 15:17:52 CET

Advisory pushed to SVN.

CVE: (none) => CVE-2018-1063
CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-01-17 17:08:22 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0032.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.