On Tue, 7 Jul 2026 09:23:26 -0500
Aaron Rainbolt <[email protected]> wrote:

> On Tue, Jul 7, 2026 at 7:47 AM Neal Gompa <[email protected]> wrote:
> >
> > I don't entirely agree with this assessment. Fixing the handler so
> > that it doesn't execute it if it's not marked executable would
> > largely mitigate this problem too.  
> 
> This does not work. Someone did *exactly* this and I was able to
> leverage it to escape sandboxes (vuln report is under embargo at the
> moment). When you use a binfmt-misc handler, then when the sandboxed
> executable tries to run the program, the kernel runs it *in* the
> sandbox. When you use a MIME handler that gates access on the
> executable bit, where the handler executes outside of the sandbox,
> then when the sandboxed executable calls the MIME handler on a
> marked-executable file, the file runs outside of (and thus escapes)
> the sandbox.

To elaborate on this since the issue is now no longer under embargo:
the bug I was referring to was Ubuntu's .jar launcher mechanism. See
https://bugs.launchpad.net/bugs/2153100 and
https://www.cve.org/CVERecord?id=CVE-2026-10037.

--
Aaron

Attachment: pgp5ZCFHzRBsk.pgp
Description: OpenPGP digital signature

-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to