[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE Request: lightdm no longer confines guest profile with AppArmor
From: Kurt Seifried <kseifried () redhat ! com>
Date: 2013-10-23 2:07:02
Message-ID: 52672F46.9000108 () redhat ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/22/2013 08:00 PM, Marc Deslauriers wrote:
> On 13-10-22 09:50 PM, Kurt Seifried wrote:
>> On 10/22/2013 12:52 PM, Marc Deslauriers wrote:
>>> Hello,
>>
>>> Christian Prim discovered that Light Display Manager 1.8.0 and
>>> later no longer use the appropriate wrapper when launching
>>> guest sessions, resulting in the session not being confined by
>>> AppArmor.
>>
>>> Bug report: https://bugs.launchpad.net/lightdm/+bug/1243339
>>
>>> Could a CVE please be assigned to this issue?
>>
>>> Thanks,
>>
>>> Marc.
>>
>>
>> Ok to confirm the app armor profile is applied by default to
>> lightdm and the guest account, and was meant to prevent guest
>> from touching /home at all? I just wanna confirm this is a
>> security vuln and not security hardening.
>>
>
> lightdm is supposed to run the guest account through a special
> wrapper that applies an AppArmor security policy so the guest is
> confined and has a limited set of files which it can access. Kind
> of like a sandbox.
>
> The lightdm code was refactored at some point during the 1.8
> development cycle, and the code no longer executes the wrapper,
> resulting in the guest account on Ubuntu 13.10 being unconfined and
> is now able to access user's files, which wasn't the case in
> earlier Ubuntu versions.
>
> Basically, a security feature that is applied by default got
> inadvertently dropped in a rewrite.
>
> Marc.
>
>
Understood, please use CVE-2013-4459 for this issue.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQIcBAEBAgAGBQJSZy9GAAoJEBYNRVNeJnmTPN4P/jtAcXtW9sUaLXNpH3Z7HgUH
06QNzlHGf2bm+xgtgjFx5sj55VHZyThUw017KoLO9uMZq5DbzJ3wB2qdgAyxBOtX
vasJY69cBQQJKEC/3iRtvbEHzwro4cKTW4Kr0+1OYUVxGqAoimwYLfDepz/yX7RV
jgLJcBNqB1jDbMCa6eNx7oGp5a/ZVB1W2HZs1RC8TPrMXNDKy+W5Wqs73yvi4xJk
JXfGeFsQMYTxRptyoXEwD3XBjXiWNi/Tk2ze1svKdUHeDCa9CvFAJ7u7kXdOJI6l
mfnhTYupP3YcqFn7vZ4p2CHjHMF8UKFJGezY17oIkIspdFiNgyKmZMzNQnneTyzc
pooLiaCg5lXDyd3ssSErpRDe+/z/sLsYijKfjeJXP+oY8wmKKQ7zQsg3KwndrVgQ
6xG2wKMSa9RsN0t9UdRGnxG4DpLqm//SyOP787nNtoJzJauV3TqQOhPlWWb/bhxP
A5hal7pGZM+6NN7luyTfmtPEoHFhhuYGC7RxLXOsnC4zSbGm+dnJcUx3VjI2y5Xb
o9AntUvQKsZYytHhCk0YiEGkrfs1zP5c7kHejMSH6PGvtCu+o6ojOA8y/c3z0glR
pSEjakt39w8ZzY+hx+ck6B46qOHpuUI2Vg/cxJ9A2dK2Kh0RxROTZJBBkuXwY5qj
Gx3oVuzl3mG/dO3DmtZr
=nMob
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic