Bug 1130637 - (CVE-2019-10063) VUL-0: CVE-2019-10063: flatpak: allows a sandbox bypass via IOCSTI
VUL-0: CVE-2019-10063: flatpak: allows a sandbox bypass via IOCSTI
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P4 - Low : Minor
: ---
Assigned To: Antonio Larrosa
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2019-03-27 07:25 UTC by Marcus Meissner
Modified: 2022-10-31 01:36 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
yfjiang: needinfo? (gianluca.gabrielli)


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-03-27 07:25:57 UTC

Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1
allows a sandbox bypass. Flatpak versions since 0.8.1 address CVE-2017-5226 by
using a seccomp filter to prevent sandboxed apps from using the TIOCSTI ioctl,
which could otherwise be used to inject commands into the controlling terminal
so that they would be executed outside the sandbox after the sandboxed app
exits. This fix was incomplete: on 64-bit platforms, the seccomp filter could be
bypassed by an ioctl request number that has TIOCSTI in its 32 least significant
bits and an arbitrary nonzero value in its 32 most significant bits, which the
Linux kernel would treat as equivalent to TIOCSTI.

Comment 1 Scott Reeves 2019-03-27 18:23:33 UTC
Antonio - can you take this one.
Comment 4 Marcus Meissner 2022-10-26 11:59:35 UTC
i see SUSE:SLE-15:Update flatpak still affected
Comment 5 Scott Reeves 2022-10-26 19:55:51 UTC
flatpak does actually contain the fix, just the changelog entry references an attempt to fix a gnome-desktop bug -

Wed May 15 09:12:45 UTC 2019 - qzheng <qzheng@suse.com>
- Add CVE-2019-11460.patch to only compare the lowest 32 ioctl
  arg bits for TIOCSTI (boo#1133043, CVE-2019-11460,
  boo#1133041, CVE-2019-11461).

I think the confusion was because the code that has this issue was copied among several different upstream projects so when fixing gnome-desktop bug 1133043 qzheng saw a comment referencing an upstream flatpak fix and applied that patch.

I guess what we need to do is
1. Edit the changelog of flatpak and append the correct CVE reference to that commit.
2. Check bsc#1133043 and see if gnome-desktop still actually needs this fix added.
Comment 6 Yifan Jiang 2022-10-27 03:54:55 UTC
Thank you for finding it out, unfortunately qzheng has left the company for a while.

So I have submitted to flatpak and gnome-desktop on sle-15:update to clean up the mess.