Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Hi!
please unblock package apparmor, that fixes CVE-2017-6507
aka. Debian bug #858768.
unblock apparmor/2.11.0-3
diff -Nru apparmor-2.11.0/debian/apparmor.init
apparmor-2.11.0/debian/apparmor.init
--- apparmor-2.11.0/debian/apparmor.init 2016-10-14 22:22:00.000000000
+0200
+++ apparmor-2.11.0/debian/apparmor.init 2017-03-28 12:23:08.000000000
+0200
@@ -190,7 +190,6 @@
clear_cache
load_configured_profiles
rc=$?
- unload_obsolete_profiles
log_end_msg "$rc"
;;
diff -Nru apparmor-2.11.0/debian/apparmor.install
apparmor-2.11.0/debian/apparmor.install
--- apparmor-2.11.0/debian/apparmor.install 2016-10-14 22:14:49.000000000
+0200
+++ apparmor-2.11.0/debian/apparmor.install 2017-03-28 12:23:08.000000000
+0200
@@ -6,6 +6,7 @@
sbin/apparmor_parser
usr/bin/aa-enabled
usr/bin/aa-exec
+usr/sbin/aa-remove-unknown
usr/sbin/aa-status
usr/sbin/apparmor_status
etc/apparmor.d/tunables/alias
diff -Nru apparmor-2.11.0/debian/apparmor.manpages
apparmor-2.11.0/debian/apparmor.manpages
--- apparmor-2.11.0/debian/apparmor.manpages 2017-01-09 13:40:08.000000000
+0100
+++ apparmor-2.11.0/debian/apparmor.manpages 2017-03-28 12:23:08.000000000
+0200
@@ -5,5 +5,6 @@
debian/tmp/usr/share/man/man7/apparmor.7
debian/tmp/usr/share/man/man1/aa-enabled.1
debian/tmp/usr/share/man/man1/aa-exec.1
+debian/tmp/usr/share/man/man8/aa-remove-unknown.8
debian/tmp/usr/share/man/man8/aa-status.8
debian/tmp/usr/share/man/man8/apparmor_status.8
diff -Nru apparmor-2.11.0/debian/apparmor.postinst
apparmor-2.11.0/debian/apparmor.postinst
--- apparmor-2.11.0/debian/apparmor.postinst 2015-08-13 21:25:45.000000000
+0200
+++ apparmor-2.11.0/debian/apparmor.postinst 2017-03-28 12:23:08.000000000
+0200
@@ -113,7 +113,6 @@
if aa-status --enabled 2>/dev/null; then
clear_cache || true
load_configured_profiles || true
- unload_obsolete_profiles || true
fi
# Discard the return code and just make sure the md5sums are updated
diff -Nru apparmor-2.11.0/debian/apparmor.upstart
apparmor-2.11.0/debian/apparmor.upstart
--- apparmor-2.11.0/debian/apparmor.upstart 2016-10-14 22:14:49.000000000
+0200
+++ apparmor-2.11.0/debian/apparmor.upstart 2017-03-28 12:23:08.000000000
+0200
@@ -83,7 +83,6 @@
if [ "$ACTION" = "reload" ] || [ "$ACTION" = "force-reload" ]; then
clear_cache
load_configured_profiles
- unload_obsolete_profiles
exit 0
fi
diff -Nru apparmor-2.11.0/debian/changelog apparmor-2.11.0/debian/changelog
--- apparmor-2.11.0/debian/changelog 2017-01-21 11:05:51.000000000 +0100
+++ apparmor-2.11.0/debian/changelog 2017-03-28 12:29:15.000000000 +0200
@@ -1,3 +1,19 @@
+apparmor (2.11.0-3) unstable; urgency=medium
+
+ * Fix CVE-2017-6507: don't unload unknown profiles during package
+ configuration or when restarting the apparmor init script, upstart job, or
+ systemd unit as this could leave processes unconfined (Closes: #858768).
+ Changes cherry-picked from Ubuntu's 2.11.0-2ubuntu3:
+ - debian/apparmor.postinst, debian/apparmor.init, debian/apparmor.upstart:
+ Remove calls to unload_obsolete_profiles()
+ - debian/patches/utils-add-aa-remove-unknown.patch,
+ debian/apparmor.install debian/apparmor.manpages: Include a new utility,
+ aa-remove-unknown, which can be used to unload unknown profiles. Based
+ on an upstream patch but adjusted to source the /lib/apparmor/functions
+ shipped in Debian/Ubuntu.
+
+ -- intrigeri <intrig...@debian.org> Tue, 28 Mar 2017 10:29:15 +0000
+
apparmor (2.11.0-2) unstable; urgency=medium
* Drop the apparmor-docs package (Closes: #851118).
diff -Nru apparmor-2.11.0/debian/patches/series
apparmor-2.11.0/debian/patches/series
--- apparmor-2.11.0/debian/patches/series 2017-01-09 12:46:20.000000000
+0100
+++ apparmor-2.11.0/debian/patches/series 2017-03-28 12:24:44.000000000
+0200
@@ -18,6 +18,9 @@
#profiles-grant-access-to-systemd-resolved.patch
# Not adapted to Debian packaging of Chromium (Debian#742829)
#add-chromium-browser.patch
+# Adapted to use debian/lib/apparmor/functions instead of
+# parser/rc.apparmor.functions
+utils-add-aa-remove-unknown.patch
#
# Patches not yet upstream
diff -Nru apparmor-2.11.0/debian/patches/utils-add-aa-remove-unknown.patch
apparmor-2.11.0/debian/patches/utils-add-aa-remove-unknown.patch
--- apparmor-2.11.0/debian/patches/utils-add-aa-remove-unknown.patch
1970-01-01 01:00:00.000000000 +0100
+++ apparmor-2.11.0/debian/patches/utils-add-aa-remove-unknown.patch
2017-03-28 12:26:56.000000000 +0200
@@ -0,0 +1,214 @@
+Description: utils: Add aa-remove-unknown utility to unload unknown profiles
+ .
+ https://launchpad.net/bugs/1668892
+ .
+ This patch creates a new utility, with the code previously used in the
+ init script 'restart' action, that removes unknown profiles which are
+ not found in /etc/apparmor.d/. The functionality was removed from the
+ common init script code in the fix for CVE-2017-6507.
+ .
+ The new utility prints a message containing the name of each unknown
+ profile before the profiles are removed. It also supports a dry run mode
+ so that an administrator can check which profiles will be removed before
+ unloading any unknown profiles.
+ .
+ If you backport this utility with the fix for CVE-2017-6507 to an
+ apparmor 2.10 release and your backported aa-remove-unknown utility is
+ sourcing the upstream rc.apparmor.functions file, you'll want to include
+ the following bug fix to prevent the aa-remove-unknown utility from
+ removing child profiles that it shouldn't remove:
+ .
+ r3440 - Fix: parser: incorrect output of child profile names
+ .
+ Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
+ Acked-by: Seth Arnold <seth.arn...@canonical.com>
+ Acked-by: John Johansen <john.johan...@canonical.com>
+ .
+ IMPORTANT: The upstream patch has been backported to use the
+ /lib/apparmor/functions file shipped as part of the Debian/Ubuntu packaging
+ instead of the upstream /lib/apparmor/rc.apparmor.functions file.
+Origin: backport,
http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3648
+Author: Tyler Hicks <tyhi...@canonical.com>
+Bug: https://launchpad.net/bugs/1668892
+Bug-Debian: https://bugs.debian.org/858768
+Last-Update: 2017-03-24
+X-Bzr-Revision-Id: tyhi...@canonical.com-20170324050801-6p7c40m8d44ase9c
+
+Index: apparmor-2.11/utils/Makefile
+===================================================================
+--- apparmor-2.11.orig/utils/Makefile
++++ apparmor-2.11/utils/Makefile
+@@ -24,7 +24,7 @@ PERLTOOLS = aa-notify
+ PYTOOLS = aa-easyprof aa-genprof aa-logprof aa-cleanprof aa-mergeprof \
+ aa-autodep aa-audit aa-complain aa-enforce aa-disable \
+ aa-status aa-unconfined
+-TOOLS = ${PERLTOOLS} ${PYTOOLS} aa-decode
++TOOLS = ${PERLTOOLS} ${PYTOOLS} aa-decode aa-remove-unknown
+ PYSETUP = python-tools-setup.py
+ PYMODULES = $(wildcard apparmor/*.py apparmor/rule/*.py)
+
+Index: apparmor-2.11/utils/aa-remove-unknown
+===================================================================
+--- /dev/null
++++ apparmor-2.11/utils/aa-remove-unknown
+@@ -0,0 +1,104 @@
++#!/bin/sh
++# ----------------------------------------------------------------------
++# Copyright (c) 2017 Canonical Ltd. (All rights reserved)
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of version 2 of the GNU General Public
++# License published by the Free Software Foundation.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program. If not, see <http://www.gnu.org/licenses/>.
++# ----------------------------------------------------------------------
++
++APPARMOR_FUNCTIONS=/lib/apparmor/functions
++APPARMORFS=/sys/kernel/security/apparmor
++PROFILES_IFACE="${APPARMORFS}/profiles"
++REMOVE="${APPARMORFS}/.remove"
++
++DRY_RUN=0
++
++. $APPARMOR_FUNCTIONS
++
++usage() {
++ local progname="$1"
++ local rc="$2"
++ local msg="usage: ${progname} [options]\n
++Remove profiles unknown to the system
++
++Options:
++ -h, --help Show this help message and exit
++ -n Dry run; don't remove profiles"
++
++ if [ "$rc" -ne 0 ] ; then
++ echo "$msg" 1>&2
++ else
++ echo "$msg"
++ fi
++
++ exit "$rc"
++}
++
++if [ "$#" -gt 1 ] ; then
++ usage "$0" 1
++elif [ "$#" -eq 1 ] ; then
++ if [ "$1" = "-h" -o "$1" = "--help" ] ; then
++ usage "$0" 0
++ elif [ "$1" = "-n" ] ; then
++ DRY_RUN=1
++ else
++ usage "$0" 1
++ fi
++fi
++
++
++# We can't use a -r test here because while $PROFILES_IFACE is world-readable,
++# apparmorfs may still return EACCES from open()
++#
++# We have to do this check because error checking awk's getline() below is
++# tricky and, as is, results in an infinite loop when apparmorfs returns an
++# error from open().
++if ! IFS= read line < "$PROFILES_IFACE" ; then
++ echo "ERROR: Unable to read apparmorfs profiles file" 1>&2
++ exit 1
++elif [ ! -w "$REMOVE" ] ; then
++ echo "ERROR: Unable to write to apparmorfs remove file" 1>&2
++ exit 1
++fi
++
++# Clean out running profiles not associated with the current profile
++# set, excluding the libvirt dynamically generated profiles.
++aa_configured=$(mktemp -t aa-XXXXXX)
++configured_profile_names > "$aa_configured"
++if [ "$?" -ne 0 ] ; then
++ echo "ERROR: Unable to enumerate the known profiles" 1>&2
++ rm -f "$aa_configured" "$aa_loaded"
++ exit 1
++fi
++
++aa_loaded=$(mktemp -t aa-XXXXXX)
++running_profile_names > "$aa_loaded" || true
++if [ "$?" -ne 0 ] ; then
++ echo "ERROR: Unable to enumerate the running profiles" 1>&2
++ rm -f "$aa_configured" "$aa_loaded"
++ exit 1
++fi
++
++LC_COLLATE=C comm -2 -3 "$aa_loaded" "$aa_configured" | while read profile ;
do
++ if [ "$DRY_RUN" -ne 0 ]; then
++ echo "Would remove '${profile}'"
++ else
++ echo "Removing '${profile}'"
++ unload_profile "$profile"
++ fi
++done
++ret="$?"
++
++rm -f "$aa_configured" "$aa_loaded"
++
++# will not catch all errors, but still better than nothing
++exit $ret
+Index: apparmor-2.11/utils/aa-remove-unknown.pod
+===================================================================
+--- /dev/null
++++ apparmor-2.11/utils/aa-remove-unknown.pod
+@@ -0,0 +1,51 @@
++=pod
++
++=head1 NAME
++
++aa-remove-unknown - remove unknown AppArmor profiles
++
++=head1 SYNOPSIS
++
++B<aa-remove-unknown> [option]
++
++=head1 DESCRIPTION
++
++B<aa-remove-unknown> will inventory all profiles in /etc/apparmor.d/, compare
++that list to the profiles currently loaded into the kernel, and then remove
all
++of the loaded profiles that were not found in /etc/apparmor.d/. It will also
++report the name of each profile that it removes on standard out.
++
++=head1 OPTIONS
++
++=over 4
++
++=item -h, --help
++
++displays a short usage statement.
++
++=item -n
++
++dry run; only prints the names of profiles that would be removed
++
++=back
++
++=head1 EXAMPLES
++
++ $ sudo ./aa-remove-unknown -n
++ Would remove 'test//null-/usr/bin/whoami'
++ Would remove 'test'
++
++ $ sudo ./aa-remove-unknown
++ Removing 'test//null-/usr/bin/whoami'
++ Removing 'test'
++
++=head1 BUGS
++
++None. Please report any you find to Launchpad at
++L<https://bugs.launchpad.net/apparmor/+filebug>.
++
++=head1 SEE ALSO
++
++apparmor(7)
++
++=cut
