Uploaded to lucid and maverick proposed, pending SRU team approval.
** Description changed:
SRU
1. This update provides additional protection for consumers of the
private-files and private-files-strict abstractions. In Ubuntu, the
evince and firefox profiles use the private-files abstraction. The
firefox profile is disabled by default.
2. This was fixed in 2.6~devel+bzr1617-0ubuntu1 in natty, which is
upstream revision 1618 in apparmor-trunk.
3. debdiffs are attached
4. TEST CASE:
- * open evince with an image or PDF
- * try to save the file (via File/Save a copy) to ~/.config/autostart and/or
~/.kde/Autostart
+ * open evince with an image or PDF
+ * try to save the file (via File/Save a copy) to ~/.config/autostart and/or
~/.kde/Autostart
Evince should not be able to save the file.
5. The impact on users should be very low as these are abstraction
- updates that aren't in widespread use.
-
+ updates that aren't in widespread use beyond these two Ubuntu profiles.
Original description:
Binary package hint: apparmor
The usr.bin.evince AppArmor profile includes the line "@{HOME}/** rw",
which gives read/write access to the user's home directory. Some files
are explicitly denied by including the "abstractions/private-files"
profile, which blocks write access to files like .profile and
.bash_profile. However, it's still possible to write files to
~/.config/autostart/, which means that an attacker exploiting evince
could drop a desktop shortcut into that directory which would then be
executed the next time the user logs in to the GUI.
I think the best way to fix this would be deny writes to anything in
~/.config in the abstractions/private-files profile.
** Changed in: apparmor (Ubuntu Maverick)
Status: Triaged => In Progress
** Changed in: apparmor (Ubuntu Lucid)
Status: Triaged => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/698194
Title:
apparmor private-files profile should include @{HOME}/.config
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
