||The sockets subsystem in Android 5.0.x before 5.0.2, 5.1.x before
5.1.1, and 6.x before 2016-07-01 allows attackers to gain privileges
via a crafted application that uses (1) the AF_MSM_IPC socket class or
(2) another socket class that is unrecognized by SELinux, aka internal
||Docker Engine before 1.6.1 allows local users to set arbitrary Linux
Security Modules (LSM) and docker_t policies via an image that allows
volumes to override files in /proc.
||The get_rpm_nvr_by_file_path_temporary function in util.py in
setroubleshoot before 3.2.22 allows remote attackers to execute
arbitrary commands via shell metacharacters in a file name.
||attach.c in LXC 1.1.2 and earlier uses the proc filesystem in a
container, which allows local container users to escape AppArmor or
SELinux confinement by mounting a proc filesystem with a crafted (1)
AppArmor profile or (2) SELinux label.
||The security_context_to_sid_core function in
security/selinux/ss/services.c in the Linux kernel before 3.13.4
allows local users to cause a denial of service (system crash) by
leveraging the CAP_MAC_ADMIN capability to set a zero-length security
||systemd, when updating file permissions, allows local users to change
the permissions and SELinux security contexts for arbitrary files via
a symlink attack on unspecified files.
||virt-edit in libguestfs before 1.18.0 does not preserve the
permissions from the original file and saves the new file with
world-readable permissions when editing, which might allow local guest
users to obtain sensitive information.
||The seunshare_mount function in sandbox/seunshare.c in seunshare in
certain Red Hat packages of policycoreutils 2.0.83 and earlier in Red
Hat Enterprise Linux (RHEL) 6 and earlier, and Fedora 14 and earlier,
mounts a new directory on top of /tmp without assigning root ownership
and the sticky bit to this new directory, which allows local users to
replace or delete arbitrary /tmp files, and consequently cause a
denial of service or possibly gain privileges, by running a setuid
application that relies on /tmp, as demonstrated by the ksu
||The ima_lsm_rule_init function in security/integrity/ima/ima_policy.c
in the Linux kernel before 2.6.37, when the Linux Security Modules
(LSM) framework is disabled, allows local users to bypass Integrity
Measurement Architecture (IMA) rules in opportunistic circumstances by
leveraging an administrator's addition of an IMA rule for LSM.
||lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the
metadata of an executable file during replacement of the file in an
RPM package upgrade or deletion of the file in an RPM package removal,
which might allow local users to gain privileges or bypass intended
access restrictions by creating a hard link to a vulnerable file that
has (1) POSIX file capabilities or (2) SELinux context information, a
related issue to CVE-2010-2059.
||The Linux kernel before 2.6.31-rc7 does not properly prevent mmap
operations that target page zero and other low memory addresses, which
allows local users to gain privileges by exploiting NULL pointer
dereference vulnerabilities, related to (1) the default configuration
of the allow_unconfined_mmap_low boolean in SELinux on Red Hat
Enterprise Linux (RHEL) 5, (2) an error that causes
allow_unconfined_mmap_low to be ignored in the unconfined_t domain,
(3) lack of a requirement for the CAP_SYS_RAWIO capability for these
mmap operations, and (4) interaction between the mmap_min_addr
protection mechanism and certain application programs.
||The tun_chr_poll function in drivers/net/tun.c in the tun subsystem in
the Linux kernel 2.6.30 and 22.214.171.124, when the
-fno-delete-null-pointer-checks gcc option is omitted, allows local
users to gain privileges via vectors involving a NULL pointer
dereference and an mmap of /dev/net/tun, a different vulnerability
||The selinux_ip_postroute_iptables_compat function in
security/selinux/hooks.c in the SELinux subsystem in the Linux kernel
before 126.96.36.199, and 2.6.28.x before 188.8.131.52, when compat_net is
enabled, omits calls to avc_has_perm for the (1) node and (2) port,
which allows local users to bypass intended restrictions on network
traffic. NOTE: this was incorrectly reported as an issue fixed in
||sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH
snapshot, allows remote authenticated users to obtain access to
arbitrary SELinux roles by appending a :/ (colon slash) sequence,
followed by the role name, to the username.
||Linux kernel 2.6.x up to 2.6.18 and possibly other versions, when
SELinux hooks are enabled, allows local users to cause a denial of
service (crash) via a malformed file stream that triggers a NULL
pointer dereference in the superblock_doinit function, as demonstrated
using an HFS filesystem image.
||The selinux_ptrace logic in hooks.c in SELinux for Linux 2.6.6 allows
local users with ptrace permissions to change the tracer SID to an SID
of another process.
||The selinux_parse_skb_ipv6 function in security/selinux/hooks.c in the
Linux kernel before 2.6.12-rc4 allows remote attackers to cause a
denial of service (OOPS) via vectors associated with an incorrect call
to the ipv6_skip_exthdr function.
||The SELinux version of PAM before 0.78 r3 allows local users to
perform brute force password guessing attacks via unix_chkpwd, which
does not log failed guesses or delay its responses.
||Race condition in SELinux 2.6.x through 2.6.9 allows local users to
cause a denial of service (kernel crash) via SOCK_SEQPACKET unix
domain sockets, which are not properly handled in the