apparmor-utils: AppArmor userlevel utilities that are useful in creating AppArmor profiles.
----------------------------------------------------------------------
File: apparmor-utils-2.0-23.5.noarch.rpm
Patchrpm: apparmor-utils-2.0-23.5.noarch.patch.rpm
Version: 2.0-23.5
Size: 71 kB
Patchsize: 35 kB
Date: Mon 17 Jul 2006 14:53:15 CEST
Source: apparmor-utils-2.0-23.5.src.rpm
Security: Yes
----------------------------------------------------------------------
Description: This update fixes security problems in the AppArmor confinment technology.

Since it adds new flags to the profile syntax, you likely should review
and adapt your profiles.

- If a profile allowed unconfined execution ("ux") of a child binary it
  was possible to inject code via LD_PRELOAD or similar environment
  variables into this child binary and execute code without confiment.

  We have added new flag "Ux" (and "Px" for "px") which makes the executed
  child clear the most critical environment variables (similar to setuid
  programs).
  Special care needs to be taken nevertheless that this interaction
  between parent and child programs can not be exploited in other ways
  to gain the rights of the child process.

- If a resource is marked as "r" in the profile it was possible to use
  mmap with PROT_EXEC flag set to load this resource as executable piece
  of code, making it effectively "ix".

  This could be used by a coordinated attack between two applications
  to potentially inject code into the reader.

  To allow mmap() executable access, supply the "m" flag to the
  applications profile.

Please also review the updated documentation.