Bug#925541: CVE-2019-10063: incomplete TIOCSTI filtering, similar to snapd's CVE-2019-7303
On Tue, 26 Mar 2019 at 21:35:31 +0100, Salvatore Bonaccorso wrote: > On Tue, Mar 26, 2019 at 03:28:03PM +, Simon McVittie wrote: > > Security team: I assume you probably won't want to do a DSA for this? > > Ack. Can you fix the issue via (upcoming) point release for stretch? Yes, that should be fine. smcv
Bug#925541: CVE-2019-10063: incomplete TIOCSTI filtering, similar to snapd's CVE-2019-7303
Hi Simon, On Tue, Mar 26, 2019 at 03:28:03PM +, Simon McVittie wrote: > Package: flatpak > Version: 0.8.0-2 > Severity: important > Tags: patch security upstream > Forwarded: https://github.com/flatpak/flatpak/issues/2782 > > flatpak versions since 0.8.1 (and Debian's 0.8.0-2, which has backports > of the upstream changes that became 0.8.1) attempt to prevent malicious > apps from escalating their privileges by injecting commands into the > controlling terminal with the TIOCSTI ioctl (CVE-2017-5226). > > This fix was incomplete: on 64-bit platforms, seccomp looks at the whole > 64-bit word, but the kernel only looks at the low 32 bits. This means we > also have to block commands like (0x12345678 | TIOCSTI). > CVE-2019-10063 has been allocated for this vulnerability, which closely > resembles CVE-2019-7303 in snapd. > > Mitigation: as usual with Flatpak sandbox bypasses, this can only be > exploited if you install a malicious app from a trusted source. The > sandbox parameters used for most apps are currently sufficiently weak > that a malicious app could do other equally bad things that we cannot > prevent, for example by abusing the X11 protocol. > > For the testing/unstable distribution (buster/sid) this will be fixed > in version 1.2.4, or in 1.2.3-2 if 1.2.4 isn't released soon. > > For the stable distribution (stretch) upstream do not intend to do a > new 0.8.x release, so this will have to be fixed by backporting. It's > a simple backport. > > Security team: I assume you probably won't want to do a DSA for this? Ack. Can you fix the issue via (upcoming) point release for stretch? Salvatore
Bug#925541: CVE-2019-10063: incomplete TIOCSTI filtering, similar to snapd's CVE-2019-7303
Package: flatpak Version: 0.8.0-2 Severity: important Tags: patch security upstream Forwarded: https://github.com/flatpak/flatpak/issues/2782 flatpak versions since 0.8.1 (and Debian's 0.8.0-2, which has backports of the upstream changes that became 0.8.1) attempt to prevent malicious apps from escalating their privileges by injecting commands into the controlling terminal with the TIOCSTI ioctl (CVE-2017-5226). This fix was incomplete: on 64-bit platforms, seccomp looks at the whole 64-bit word, but the kernel only looks at the low 32 bits. This means we also have to block commands like (0x12345678 | TIOCSTI). CVE-2019-10063 has been allocated for this vulnerability, which closely resembles CVE-2019-7303 in snapd. Mitigation: as usual with Flatpak sandbox bypasses, this can only be exploited if you install a malicious app from a trusted source. The sandbox parameters used for most apps are currently sufficiently weak that a malicious app could do other equally bad things that we cannot prevent, for example by abusing the X11 protocol. For the testing/unstable distribution (buster/sid) this will be fixed in version 1.2.4, or in 1.2.3-2 if 1.2.4 isn't released soon. For the stable distribution (stretch) upstream do not intend to do a new 0.8.x release, so this will have to be fixed by backporting. It's a simple backport. Security team: I assume you probably won't want to do a DSA for this? smcv
