Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Hi! please unblock package apparmor, that fixes CVE-2017-6507 aka. Debian bug #858768. unblock apparmor/2.11.0-3
diff -Nru apparmor-2.11.0/debian/apparmor.init apparmor-2.11.0/debian/apparmor.init --- apparmor-2.11.0/debian/apparmor.init 2016-10-14 22:22:00.000000000 +0200 +++ apparmor-2.11.0/debian/apparmor.init 2017-03-28 12:23:08.000000000 +0200 @@ -190,7 +190,6 @@ clear_cache load_configured_profiles rc=$? - unload_obsolete_profiles log_end_msg "$rc" ;; diff -Nru apparmor-2.11.0/debian/apparmor.install apparmor-2.11.0/debian/apparmor.install --- apparmor-2.11.0/debian/apparmor.install 2016-10-14 22:14:49.000000000 +0200 +++ apparmor-2.11.0/debian/apparmor.install 2017-03-28 12:23:08.000000000 +0200 @@ -6,6 +6,7 @@ sbin/apparmor_parser usr/bin/aa-enabled usr/bin/aa-exec +usr/sbin/aa-remove-unknown usr/sbin/aa-status usr/sbin/apparmor_status etc/apparmor.d/tunables/alias diff -Nru apparmor-2.11.0/debian/apparmor.manpages apparmor-2.11.0/debian/apparmor.manpages --- apparmor-2.11.0/debian/apparmor.manpages 2017-01-09 13:40:08.000000000 +0100 +++ apparmor-2.11.0/debian/apparmor.manpages 2017-03-28 12:23:08.000000000 +0200 @@ -5,5 +5,6 @@ debian/tmp/usr/share/man/man7/apparmor.7 debian/tmp/usr/share/man/man1/aa-enabled.1 debian/tmp/usr/share/man/man1/aa-exec.1 +debian/tmp/usr/share/man/man8/aa-remove-unknown.8 debian/tmp/usr/share/man/man8/aa-status.8 debian/tmp/usr/share/man/man8/apparmor_status.8 diff -Nru apparmor-2.11.0/debian/apparmor.postinst apparmor-2.11.0/debian/apparmor.postinst --- apparmor-2.11.0/debian/apparmor.postinst 2015-08-13 21:25:45.000000000 +0200 +++ apparmor-2.11.0/debian/apparmor.postinst 2017-03-28 12:23:08.000000000 +0200 @@ -113,7 +113,6 @@ if aa-status --enabled 2>/dev/null; then clear_cache || true load_configured_profiles || true - unload_obsolete_profiles || true fi # Discard the return code and just make sure the md5sums are updated diff -Nru apparmor-2.11.0/debian/apparmor.upstart apparmor-2.11.0/debian/apparmor.upstart --- apparmor-2.11.0/debian/apparmor.upstart 2016-10-14 22:14:49.000000000 +0200 +++ apparmor-2.11.0/debian/apparmor.upstart 2017-03-28 12:23:08.000000000 +0200 @@ -83,7 +83,6 @@ if [ "$ACTION" = "reload" ] || [ "$ACTION" = "force-reload" ]; then clear_cache load_configured_profiles - unload_obsolete_profiles exit 0 fi diff -Nru apparmor-2.11.0/debian/changelog apparmor-2.11.0/debian/changelog --- apparmor-2.11.0/debian/changelog 2017-01-21 11:05:51.000000000 +0100 +++ apparmor-2.11.0/debian/changelog 2017-03-28 12:29:15.000000000 +0200 @@ -1,3 +1,19 @@ +apparmor (2.11.0-3) unstable; urgency=medium + + * Fix CVE-2017-6507: don't unload unknown profiles during package + configuration or when restarting the apparmor init script, upstart job, or + systemd unit as this could leave processes unconfined (Closes: #858768). + Changes cherry-picked from Ubuntu's 2.11.0-2ubuntu3: + - debian/apparmor.postinst, debian/apparmor.init, debian/apparmor.upstart: + Remove calls to unload_obsolete_profiles() + - debian/patches/utils-add-aa-remove-unknown.patch, + debian/apparmor.install debian/apparmor.manpages: Include a new utility, + aa-remove-unknown, which can be used to unload unknown profiles. Based + on an upstream patch but adjusted to source the /lib/apparmor/functions + shipped in Debian/Ubuntu. + + -- intrigeri <intrig...@debian.org> Tue, 28 Mar 2017 10:29:15 +0000 + apparmor (2.11.0-2) unstable; urgency=medium * Drop the apparmor-docs package (Closes: #851118). diff -Nru apparmor-2.11.0/debian/patches/series apparmor-2.11.0/debian/patches/series --- apparmor-2.11.0/debian/patches/series 2017-01-09 12:46:20.000000000 +0100 +++ apparmor-2.11.0/debian/patches/series 2017-03-28 12:24:44.000000000 +0200 @@ -18,6 +18,9 @@ #profiles-grant-access-to-systemd-resolved.patch # Not adapted to Debian packaging of Chromium (Debian#742829) #add-chromium-browser.patch +# Adapted to use debian/lib/apparmor/functions instead of +# parser/rc.apparmor.functions +utils-add-aa-remove-unknown.patch # # Patches not yet upstream diff -Nru apparmor-2.11.0/debian/patches/utils-add-aa-remove-unknown.patch apparmor-2.11.0/debian/patches/utils-add-aa-remove-unknown.patch --- apparmor-2.11.0/debian/patches/utils-add-aa-remove-unknown.patch 1970-01-01 01:00:00.000000000 +0100 +++ apparmor-2.11.0/debian/patches/utils-add-aa-remove-unknown.patch 2017-03-28 12:26:56.000000000 +0200 @@ -0,0 +1,214 @@ +Description: utils: Add aa-remove-unknown utility to unload unknown profiles + . + https://launchpad.net/bugs/1668892 + . + This patch creates a new utility, with the code previously used in the + init script 'restart' action, that removes unknown profiles which are + not found in /etc/apparmor.d/. The functionality was removed from the + common init script code in the fix for CVE-2017-6507. + . + The new utility prints a message containing the name of each unknown + profile before the profiles are removed. It also supports a dry run mode + so that an administrator can check which profiles will be removed before + unloading any unknown profiles. + . + If you backport this utility with the fix for CVE-2017-6507 to an + apparmor 2.10 release and your backported aa-remove-unknown utility is + sourcing the upstream rc.apparmor.functions file, you'll want to include + the following bug fix to prevent the aa-remove-unknown utility from + removing child profiles that it shouldn't remove: + . + r3440 - Fix: parser: incorrect output of child profile names + . + Signed-off-by: Tyler Hicks <tyhi...@canonical.com> + Acked-by: Seth Arnold <seth.arn...@canonical.com> + Acked-by: John Johansen <john.johan...@canonical.com> + . + IMPORTANT: The upstream patch has been backported to use the + /lib/apparmor/functions file shipped as part of the Debian/Ubuntu packaging + instead of the upstream /lib/apparmor/rc.apparmor.functions file. +Origin: backport, http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3648 +Author: Tyler Hicks <tyhi...@canonical.com> +Bug: https://launchpad.net/bugs/1668892 +Bug-Debian: https://bugs.debian.org/858768 +Last-Update: 2017-03-24 +X-Bzr-Revision-Id: tyhi...@canonical.com-20170324050801-6p7c40m8d44ase9c + +Index: apparmor-2.11/utils/Makefile +=================================================================== +--- apparmor-2.11.orig/utils/Makefile ++++ apparmor-2.11/utils/Makefile +@@ -24,7 +24,7 @@ PERLTOOLS = aa-notify + PYTOOLS = aa-easyprof aa-genprof aa-logprof aa-cleanprof aa-mergeprof \ + aa-autodep aa-audit aa-complain aa-enforce aa-disable \ + aa-status aa-unconfined +-TOOLS = ${PERLTOOLS} ${PYTOOLS} aa-decode ++TOOLS = ${PERLTOOLS} ${PYTOOLS} aa-decode aa-remove-unknown + PYSETUP = python-tools-setup.py + PYMODULES = $(wildcard apparmor/*.py apparmor/rule/*.py) + +Index: apparmor-2.11/utils/aa-remove-unknown +=================================================================== +--- /dev/null ++++ apparmor-2.11/utils/aa-remove-unknown +@@ -0,0 +1,104 @@ ++#!/bin/sh ++# ---------------------------------------------------------------------- ++# Copyright (c) 2017 Canonical Ltd. (All rights reserved) ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of version 2 of the GNU General Public ++# License published by the Free Software Foundation. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see <http://www.gnu.org/licenses/>. ++# ---------------------------------------------------------------------- ++ ++APPARMOR_FUNCTIONS=/lib/apparmor/functions ++APPARMORFS=/sys/kernel/security/apparmor ++PROFILES_IFACE="${APPARMORFS}/profiles" ++REMOVE="${APPARMORFS}/.remove" ++ ++DRY_RUN=0 ++ ++. $APPARMOR_FUNCTIONS ++ ++usage() { ++ local progname="$1" ++ local rc="$2" ++ local msg="usage: ${progname} [options]\n ++Remove profiles unknown to the system ++ ++Options: ++ -h, --help Show this help message and exit ++ -n Dry run; don't remove profiles" ++ ++ if [ "$rc" -ne 0 ] ; then ++ echo "$msg" 1>&2 ++ else ++ echo "$msg" ++ fi ++ ++ exit "$rc" ++} ++ ++if [ "$#" -gt 1 ] ; then ++ usage "$0" 1 ++elif [ "$#" -eq 1 ] ; then ++ if [ "$1" = "-h" -o "$1" = "--help" ] ; then ++ usage "$0" 0 ++ elif [ "$1" = "-n" ] ; then ++ DRY_RUN=1 ++ else ++ usage "$0" 1 ++ fi ++fi ++ ++ ++# We can't use a -r test here because while $PROFILES_IFACE is world-readable, ++# apparmorfs may still return EACCES from open() ++# ++# We have to do this check because error checking awk's getline() below is ++# tricky and, as is, results in an infinite loop when apparmorfs returns an ++# error from open(). ++if ! IFS= read line < "$PROFILES_IFACE" ; then ++ echo "ERROR: Unable to read apparmorfs profiles file" 1>&2 ++ exit 1 ++elif [ ! -w "$REMOVE" ] ; then ++ echo "ERROR: Unable to write to apparmorfs remove file" 1>&2 ++ exit 1 ++fi ++ ++# Clean out running profiles not associated with the current profile ++# set, excluding the libvirt dynamically generated profiles. ++aa_configured=$(mktemp -t aa-XXXXXX) ++configured_profile_names > "$aa_configured" ++if [ "$?" -ne 0 ] ; then ++ echo "ERROR: Unable to enumerate the known profiles" 1>&2 ++ rm -f "$aa_configured" "$aa_loaded" ++ exit 1 ++fi ++ ++aa_loaded=$(mktemp -t aa-XXXXXX) ++running_profile_names > "$aa_loaded" || true ++if [ "$?" -ne 0 ] ; then ++ echo "ERROR: Unable to enumerate the running profiles" 1>&2 ++ rm -f "$aa_configured" "$aa_loaded" ++ exit 1 ++fi ++ ++LC_COLLATE=C comm -2 -3 "$aa_loaded" "$aa_configured" | while read profile ; do ++ if [ "$DRY_RUN" -ne 0 ]; then ++ echo "Would remove '${profile}'" ++ else ++ echo "Removing '${profile}'" ++ unload_profile "$profile" ++ fi ++done ++ret="$?" ++ ++rm -f "$aa_configured" "$aa_loaded" ++ ++# will not catch all errors, but still better than nothing ++exit $ret +Index: apparmor-2.11/utils/aa-remove-unknown.pod +=================================================================== +--- /dev/null ++++ apparmor-2.11/utils/aa-remove-unknown.pod +@@ -0,0 +1,51 @@ ++=pod ++ ++=head1 NAME ++ ++aa-remove-unknown - remove unknown AppArmor profiles ++ ++=head1 SYNOPSIS ++ ++B<aa-remove-unknown> [option] ++ ++=head1 DESCRIPTION ++ ++B<aa-remove-unknown> will inventory all profiles in /etc/apparmor.d/, compare ++that list to the profiles currently loaded into the kernel, and then remove all ++of the loaded profiles that were not found in /etc/apparmor.d/. It will also ++report the name of each profile that it removes on standard out. ++ ++=head1 OPTIONS ++ ++=over 4 ++ ++=item -h, --help ++ ++displays a short usage statement. ++ ++=item -n ++ ++dry run; only prints the names of profiles that would be removed ++ ++=back ++ ++=head1 EXAMPLES ++ ++ $ sudo ./aa-remove-unknown -n ++ Would remove 'test//null-/usr/bin/whoami' ++ Would remove 'test' ++ ++ $ sudo ./aa-remove-unknown ++ Removing 'test//null-/usr/bin/whoami' ++ Removing 'test' ++ ++=head1 BUGS ++ ++None. Please report any you find to Launchpad at ++L<https://bugs.launchpad.net/apparmor/+filebug>. ++ ++=head1 SEE ALSO ++ ++apparmor(7) ++ ++=cut