Bug 1216199 (CVE-2023-5557) - VUL-0: CVE-2023-5557: tracker-miners: sandbox escape
Summary: VUL-0: CVE-2023-5557: tracker-miners: sandbox escape
Status: NEW
Alias: CVE-2023-5557
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/381702/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-5557:7.7:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-10-13 07:12 UTC by SMASH SMASH
Modified: 2024-02-21 08:22 UTC (History)
9 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2023-10-13 07:12:40 UTC 
A flaw was found in the tracker-miners package. A weakness in the sandbox allows
a maliciously-crafted file to execute code outside the sandbox if the
tracker-extract process has first been compromised by a separate vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-5557
https://access.redhat.com/security/cve/CVE-2023-5557
Comment 3 Robert Frohl 2023-10-13 09:17:41 UTC 
FTR: RH bug states that 3.2.2 is fixed, this is incorrect.

> tag 3.2.2
> Tagger: Carlos Garnacho <carlosg@gnome.org>
> Date:   Sun Mar 6 23:27:49 2022 +0100
> 
> Release 3.2.2
Comment 9 Alynx Zhou 2023-12-06 08:10:18 UTC 
I'll handle this, thanks.
Comment 10 Alynx Zhou 2023-12-08 07:32:21 UTC 
https://build.opensuse.org/request/show/1132037
For GNOME:STABLE:41

GNOME:STALE:3.34 needs more time because it needs to backport from Tracker3 to Tracker2, that requires a lot of file and interface change.
Comment 11 Alynx Zhou 2023-12-08 07:41:23 UTC 
https://build.opensuse.org/request/show/1132039
For GNOME:STABLE:41
Comment 12 Alynx Zhou 2023-12-08 09:58:14 UTC 
Hi security team,

While this bug is easy to fix on SLE-15-SP4, it is hard to deal with on SLE-15-SP2. That is because we have Tracker 2 in SLE-15-SP2 and Tracker 3 in SLE-15-SP4. The fix itself is generally moving all file system related operations out of the sandboxed process and do them in the miner daemon via DBus requests, so all fs related syscalls could be blocked by the sandbox.

From Tracker 2 to Tracker 3 a lot of files changed, to achieve this in current version of our tracker-miners package, I already create a patch with more than 3000 lines, and things are still not finised yet, the dbus object we need in miners for sparql does not exist in current version of our tracker package, it will be hard to maintain thousands lines of patches in two packages.

And for this bug itself, the origin is because CVE-2023-43641 in libcue, I found that we don't have fix for libcue yet, it's a 1-line fix (<https://github.com/lipnitsk/libcue/commit/fdf72c8bded8d24cfa0608b8e97f2eed210a920e>), so I think maybe we should fix libcue first.

I really want to hear your opinion on this, we need to fix libcue first, then I doubt is it worthy to introduce such big changes to tracker and tracker-miners.
Comment 13 Michael Gorse 2023-12-08 14:35:17 UTC 
(In reply to Alynx Zhou from comment #12)
> And for this bug itself, the origin is because CVE-2023-43641 in libcue, I
> found that we don't have fix for libcue yet, it's a 1-line fix
> (<https://github.com/lipnitsk/libcue/commit/
> fdf72c8bded8d24cfa0608b8e97f2eed210a920e>), so I think maybe we should fix
> libcue first.

The libcue CVE is bsc#1215728. I submitted a fix for SUSE:SLE-15:Update a while ago. The version in factory already has the fix. Let me know if anything else is missing.
Comment 14 Alynx Zhou 2023-12-08 16:02:27 UTC 
After create 2 patches with nearly 4200 lines, it still doesn't work correctly on my Leap 15.2. Nearly all things changed between Tracker 2 and Tracker 3, library interfaces are renamed, source files are moved, and DBus interface is different, I think it is not worthy to do such a big change to Tracker 2.
Comment 15 Alynx Zhou 2023-12-08 16:02:59 UTC 
(In reply to Michael Gorse from comment #13)
> The libcue CVE is bsc#1215728. I submitted a fix for SUSE:SLE-15:Update a
> while ago. The version in factory already has the fix. Let me know if
> anything else is missing.

Great, thanks!
Comment 20 Maintenance Automation 2023-12-14 16:30:25 UTC 
SUSE-SU-2023:4868-1: An update that solves one vulnerability and contains one feature can now be installed.

Category: security (important)
Bug References: 1216199
CVE References: CVE-2023-5557
Jira References: PED-6193
Sources used:
openSUSE Leap 15.4 (src): tracker-miners-3.2.2-150400.3.7.1
openSUSE Leap 15.5 (src): tracker-miners-3.2.2-150400.3.7.1
Desktop Applications Module 15-SP4 (src): tracker-miners-3.2.2-150400.3.7.1
Desktop Applications Module 15-SP5 (src): tracker-miners-3.2.2-150400.3.7.1
SUSE Linux Enterprise Workstation Extension 15 SP4 (src): tracker-miners-3.2.2-150400.3.7.1
SUSE Linux Enterprise Workstation Extension 15 SP5 (src): tracker-miners-3.2.2-150400.3.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 OBSbugzilla Bot 2024-01-11 15:35:10 UTC 
This is an autogenerated message for OBS integration:
This bug (1216199) was mentioned in
https://build.opensuse.org/request/show/1138128 Factory / tracker-miners
Comment 22 Alynx Zhou 2024-02-21 08:22:43 UTC 
Assign back to security team, finished fixing from GNOME side.