Executive Summary

Summary
Title policycoreutils security update
Informations
Name RHSA-2011:0414 First vendor Publication 2011-04-04
Vendor RedHat Last vendor Modification 2011-04-04
Severity (Vendor) Important Revision 01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 6.9 Attack Range Local
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 3.4 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updated policycoreutils packages that fix one security issue are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - noarch Red Hat Enterprise Linux HPC Node (v. 6) - noarch, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - noarch Red Hat Enterprise Linux Workstation (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - noarch

3. Description:

The policycoreutils packages contain the core utilities that are required for the basic operation of a Security-Enhanced Linux (SELinux) system and its policies.

It was discovered that the seunshare utility did not enforce proper file permissions on the directory used as an alternate temporary directory mounted as /tmp/. A local user could use this flaw to overwrite files or, possibly, execute arbitrary code with the privileges of a setuid or setgid application that relies on proper /tmp/ permissions, by running that application via seunshare. (CVE-2011-1011)

Red Hat would like to thank Tavis Ormandy for reporting this issue.

This update also introduces the following changes:

* The seunshare utility was moved from the main policycoreutils subpackage to the policycoreutils-sandbox subpackage. This utility is only required by the sandbox feature and does not need to be installed by default.

* Updated selinux-policy packages that add the SELinux policy changes required by the seunshare fixes.

All policycoreutils users should upgrade to these updated packages, which correct this issue.

4. Solution:

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

633544 - CVE-2011-1011 policycoreutils: insecure temporary directory handling in seunshare

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2011-0414.html

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-264 Permissions, Privileges, and Access Controls

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:21423
 
Oval ID: oval:org.mitre.oval:def:21423
Title: RHSA-2011:0414: policycoreutils security update (Important)
Description: The seunshare_mount function in sandbox/seunshare.c in seunshare in certain Red Hat packages of policycoreutils 2.0.83 and earlier in Red Hat Enterprise Linux (RHEL) 6 and earlier, and Fedora 14 and earlier, mounts a new directory on top of /tmp without assigning root ownership and the sticky bit to this new directory, which allows local users to replace or delete arbitrary /tmp files, and consequently cause a denial of service or possibly gain privileges, by running a setuid application that relies on /tmp, as demonstrated by the ksu application.
Family: unix Class: patch
Reference(s): RHSA-2011:0414-01
CVE-2011-1011
 Version: 4
Platform(s): Red Hat Enterprise Linux 6
 Product(s): policycoreutils
selinux-policy
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23059
 
Oval ID: oval:org.mitre.oval:def:23059
Title: ELSA-2011:0414: policycoreutils security update (Important)
Description: The seunshare_mount function in sandbox/seunshare.c in seunshare in certain Red Hat packages of policycoreutils 2.0.83 and earlier in Red Hat Enterprise Linux (RHEL) 6 and earlier, and Fedora 14 and earlier, mounts a new directory on top of /tmp without assigning root ownership and the sticky bit to this new directory, which allows local users to replace or delete arbitrary /tmp files, and consequently cause a denial of service or possibly gain privileges, by running a setuid application that relies on /tmp, as demonstrated by the ksu application.
Family: unix Class: patch
Reference(s): ELSA-2011:0414-01
CVE-2011-1011
 Version: 6
Platform(s): Oracle Linux 6
 Product(s): policycoreutils
selinux-policy
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27195
 
Oval ID: oval:org.mitre.oval:def:27195
Title: DEPRECATED: ELSA-2011-0414 -- policycoreutils security update (important)
Description: policycoreutils: [2.0.83-19.8] - Fix seunshare to work with /tmp content when SELinux context is not provided Resolves: #679689 [2.0.83-19.7] - put back correct chcon - Latest fixes for seunshare [2.0.83-19.6] - Fix rsync command to work if the directory is old. - Fix all tests Resolves: #679689 [2.0.83-19.5] - Add requires rsync and fix man page for seunshare [2.0.83-19.4] - fix to sandbox - Fix seunshare to use more secure handling of /tmp - Rewrite seunshare to make sure /tmp is mounted stickybit owned by root - Change to allow sandbox to run on nfs homedirs, add start python script - change default location of HOMEDIR in sandbox to /tmp/.sandbox_home_* - Move seunshare to sandbox package - Fix sandbox to show correct types in usage statement selinux-policy: [3.7.19-54.0.1.el6_0.5] - Allow ocfs2 to be mounted with file_t type. [3.7.19-54.el6_0.5] - seunshare needs to be able to mounton nfs/cifs/fusefs homedirs Resolves: #684918 [3.7.19-54.el6_0.4] - Fix to sandbox * selinux-policy fixes for policycoreutils sandbox changes - Fix seunshare to use more secure handling of /tmp - Change to allow sandbox to run on nfs homedirs, add start python script
Family: unix Class: patch
Reference(s): ELSA-2011-0414
CVE-2011-1011
 Version: 4
Platform(s): Oracle Linux 6
 Product(s): policycoreutils
selinux-policy
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 258
Os 4
Os 8

OpenVAS Exploits

Date Description
2012-06-06 Name : RedHat Update for policycoreutils RHSA-2011:0414-01
File : nvt/gb_RHSA-2011_0414-01_policycoreutils.nasl
2011-03-24 Name : Fedora Update for policycoreutils FEDORA-2011-3043
File : nvt/gb_fedora_2011_3043_policycoreutils_fc14.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
72541 Red Hat policycoreutils seunshare sandbox/seunshare.c seunshare_mount Functio...

Nessus® Vulnerability Scanner

Date Description
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2011-0414.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20110404_policycoreutils_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2011-04-05 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2011-0414.nasl - Type : ACT_GATHER_INFO
2011-03-21 Name : The remote Fedora host is missing a security update.
File : fedora_2011-3043.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:54:33
  • Multiple Updates