CVE-2016-1585

NameCVE-2016-1585
DescriptionIn all versions of AppArmor mount rules are accidentally widened when compiled.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs929990

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apparmor (PTS)buster2.13.2-10vulnerable
bullseye2.13.6-10vulnerable
bookworm3.0.8-3vulnerable
trixie3.0.13-2fixed
sid3.1.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apparmorsource(unstable)3.0.12-1unimportant929990

Notes

https://bugs.launchpad.net/apparmor/+bug/1597017
https://bugzilla.opensuse.org/show_bug.cgi?id=995594
Introduced around AppArmor 2.8 upstream.
Mount rules support is enabled in Debian, but the impact of the issue is
limited to 1. lxc (not a regression, as Debian never confined LXC with AppArmor
by default before buster, in particular not with mount rules), 2. libvirtd
but the profile is not meant to be a strong security boundary.
https://bugs.launchpad.net/apparmor/+bug/1597017/comments/6
https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.10
Fixed by: https://gitlab.com/apparmor/apparmor/-/commit/262fd11359432888292952e5ed29bead5ace16f0 (v3.0.10)
Negligible security impact / known limitation

Search for package or bug name: Reporting problems