Bug 1130637 – VUL-0: CVE-2019-10063: flatpak: allows a sandbox bypass via IOCSTI

Bug 1130637 - (CVE-2019-10063) VUL-0: CVE-2019-10063: flatpak: allows a sandbox bypass via IOCSTI

(CVE-2019-10063)
Summary:	VUL-0: CVE-2019-10063: flatpak: allows a sandbox bypass via IOCSTI

Status:	IN_PROGRESS

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assigned To:	Antonio Larrosa
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/227141/
Whiteboard:	CVSSv3:SUSE:CVE-2019-10063:7.3:(AV:L/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-03-27 07:25 UTC by Marcus Meissner
Modified:	2022-10-31 01:36 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Flags:	yfjiang: needinfo? (gianluca.gabrielli)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2019-03-27 07:25:57 UTC

CVE-2019-10063

Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1
allows a sandbox bypass. Flatpak versions since 0.8.1 address CVE-2017-5226 by
using a seccomp filter to prevent sandboxed apps from using the TIOCSTI ioctl,
which could otherwise be used to inject commands into the controlling terminal
so that they would be executed outside the sandbox after the sandboxed app
exits. This fix was incomplete: on 64-bit platforms, the seccomp filter could be
bypassed by an ioctl request number that has TIOCSTI in its 32 least significant
bits and an arbitrary nonzero value in its 32 most significant bits, which the
Linux kernel would treat as equivalent to TIOCSTI.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-10063
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10063
https://github.com/flatpak/flatpak/issues/2782

Comment 1 Scott Reeves 2019-03-27 18:23:33 UTC

Antonio - can you take this one.

Comment 4 Marcus Meissner 2022-10-26 11:59:35 UTC

i see SUSE:SLE-15:Update flatpak still affected

Comment 5 Scott Reeves 2022-10-26 19:55:51 UTC

flatpak does actually contain the fix, just the changelog entry references an attempt to fix a gnome-desktop bug -
https://bugzilla.suse.com/show_bug.cgi?id=1133043


Wed May 15 09:12:45 UTC 2019 - qzheng <qzheng@suse.com>
- Add CVE-2019-11460.patch to only compare the lowest 32 ioctl
  arg bits for TIOCSTI (boo#1133043, CVE-2019-11460,
  boo#1133041, CVE-2019-11461).


I think the confusion was because the code that has this issue was copied among several different upstream projects so when fixing gnome-desktop bug 1133043 qzheng saw a comment referencing an upstream flatpak fix and applied that patch.

I guess what we need to do is
1. Edit the changelog of flatpak and append the correct CVE reference to that commit.
2. Check bsc#1133043 and see if gnome-desktop still actually needs this fix added.

Comment 6 Yifan Jiang 2022-10-27 03:54:55 UTC

Thank you for finding it out, unfortunately qzheng has left the company for a while.

So I have submitted to flatpak and gnome-desktop on sle-15:update to clean up the mess.