oss-sec mailing list archives

Re: CVE-2016-7545 -- SELinux sandbox escape

From: up201407890 () alunos dcc fc up pt
Date: Tue, 25 Oct 2016 17:51:11 +0200

Quoting "Yves-Alexis Perez" <corsac () debian org>:

On Sun, 2016-09-25 at 13:49 +0200, up201407890 () alunos dcc fc up pt wrote:

When executing a program via the SELinux sandbox, the nonpriv session
can escape to the parent session by using the TIOCSTI ioctl to push
characters into the terminal's input buffer, allowing an attacker to
escape the sandbox.

Hi,

it seems that firejail was affected by the same vulnerability, whichwas fixedin 0.9.44 withhttps://github.com/netblue30/firejail/commit/46dc2b34f1fbbc4597

b4ff9f6a3cb28b2d500d1b

The commit log reuses the CVE-2016-7545 number, but I guess a new one should
be assigned since they don't share the same codebase?

Regards,
--
Yves-Alexis Perez - Debian Security


Think so, CC'ing mitre.


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Current thread:

Re: CVE-2016-7545 -- SELinux sandbox escape Yves-Alexis Perez (Oct 25)
- Re: CVE-2016-7545 -- SELinux sandbox escape netblue30 (Oct 25)
- Re: CVE-2016-7545 -- SELinux sandbox escape - Firejail is CVE-2016-9016 cve-assign (Oct 25)
  - Re: CVE-2016-7545 -- SELinux sandbox escape - Firejail is CVE-2016-9016 Yves-Alexis Perez (Oct 25)
- Re: CVE-2016-7545 -- SELinux sandbox escape up201407890 (Oct 25)