Amazon Linux 1 Security Advisory: ALAS-2016-765
Advisory Release Date: 2016-11-10 18:00 Pacific
Advisory Updated Date: 2016-11-10 18:00 Pacific
It was found that the sandbox tool provided in policycoreutils was vulnerable to a TIOCSTI ioctl attack. A specially crafted program executed via the sandbox command could use this flaw to execute arbitrary commands in the context of the parent bash, escaping the sandbox.
Affected Packages:
policycoreutils
Issue Correction:
Run yum update policycoreutils to update your system.
i686:
policycoreutils-debuginfo-2.1.12-5.25.amzn1.i686
policycoreutils-restorecond-2.1.12-5.25.amzn1.i686
policycoreutils-2.1.12-5.25.amzn1.i686
policycoreutils-newrole-2.1.12-5.25.amzn1.i686
policycoreutils-python-2.1.12-5.25.amzn1.i686
src:
policycoreutils-2.1.12-5.25.amzn1.src
x86_64:
policycoreutils-python-2.1.12-5.25.amzn1.x86_64
policycoreutils-restorecond-2.1.12-5.25.amzn1.x86_64
policycoreutils-debuginfo-2.1.12-5.25.amzn1.x86_64
policycoreutils-newrole-2.1.12-5.25.amzn1.x86_64
policycoreutils-2.1.12-5.25.amzn1.x86_64