desktop-packages team mailing list archive

Thread
Date

[Bug 698194] Re: apparmor private-files profile should include @{HOME}/.config

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Ubuntu QA's Bug Bot <bug-stats@xxxxxxxxxxxxxxx>
Date: Mon, 19 Sep 2011 21:42:17 -0000
Reply-to: Bug 698194 <698194@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Tags added: testcase

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/698194

Title:
  apparmor private-files profile should include @{HOME}/.config

Status in “apparmor” package in Ubuntu:
  Fix Released
Status in “evince” package in Ubuntu:
  Fix Released
Status in “apparmor” source package in Lucid:
  Fix Released
Status in “evince” source package in Lucid:
  Won't Fix
Status in “apparmor” source package in Maverick:
  Fix Released
Status in “evince” source package in Maverick:
  Won't Fix
Status in “apparmor” source package in Natty:
  Fix Released
Status in “evince” source package in Natty:
  Fix Released

Bug description:
  SRU

  1. This update provides additional protection for consumers of the
  private-files and private-files-strict abstractions. In Ubuntu, the
  evince and firefox profiles use the private-files abstraction. The
  firefox profile is disabled by default.

  2. This was fixed in 2.6~devel+bzr1617-0ubuntu1 in natty, which is
  upstream revision 1618 in apparmor-trunk.

  3. debdiffs are attached

  4. TEST CASE:
   * open evince with an image or PDF
   * try to save the file (via File/Save a copy) to ~/.config/autostart and/or ~/.kde/Autostart

  Evince should not be able to save the file.

  5. The impact on users should be very low as these are abstraction
  updates that aren't in widespread use beyond these two Ubuntu
  profiles.

  Original description:
  Binary package hint: apparmor

  The usr.bin.evince AppArmor profile includes the line "@{HOME}/** rw",
  which gives read/write access to the user's home directory. Some files
  are explicitly denied by including the "abstractions/private-files"
  profile, which blocks write access to files like .profile and
  .bash_profile. However, it's still possible to write files to
  ~/.config/autostart/, which means that an attacker exploiting evince
  could drop a desktop shortcut into that directory which would then be
  executed the next time the user logs in to the GUI.

  I think the best way to fix this would be deny writes to anything in
  ~/.config in the abstractions/private-files profile.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/698194/+subscriptions