Bugzilla – Bug 1130637
VUL-0: CVE-2019-10063: flatpak: allows a sandbox bypass via IOCSTI
Last modified: 2022-10-31 01:36:23 UTC
Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1
allows a sandbox bypass. Flatpak versions since 0.8.1 address CVE-2017-5226 by
using a seccomp filter to prevent sandboxed apps from using the TIOCSTI ioctl,
which could otherwise be used to inject commands into the controlling terminal
so that they would be executed outside the sandbox after the sandboxed app
exits. This fix was incomplete: on 64-bit platforms, the seccomp filter could be
bypassed by an ioctl request number that has TIOCSTI in its 32 least significant
bits and an arbitrary nonzero value in its 32 most significant bits, which the
Linux kernel would treat as equivalent to TIOCSTI.
Antonio - can you take this one.
i see SUSE:SLE-15:Update flatpak still affected
flatpak does actually contain the fix, just the changelog entry references an attempt to fix a gnome-desktop bug -
Wed May 15 09:12:45 UTC 2019 - qzheng <firstname.lastname@example.org>
- Add CVE-2019-11460.patch to only compare the lowest 32 ioctl
arg bits for TIOCSTI (boo#1133043, CVE-2019-11460,
I think the confusion was because the code that has this issue was copied among several different upstream projects so when fixing gnome-desktop bug 1133043 qzheng saw a comment referencing an upstream flatpak fix and applied that patch.
I guess what we need to do is
1. Edit the changelog of flatpak and append the correct CVE reference to that commit.
2. Check bsc#1133043 and see if gnome-desktop still actually needs this fix added.
Thank you for finding it out, unfortunately qzheng has left the company for a while.
So I have submitted to flatpak and gnome-desktop on sle-15:update to clean up the mess.