[Pkg-utopia-maintainers] Bug#925541: CVE-2019-10063: incomplete TIOCSTI filtering, similar to snapd's CVE-2019-7303
Simon McVittie
smcv at debian.org
Tue Mar 26 15:28:03 GMT 2019
Package: flatpak
Version: 0.8.0-2
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/flatpak/flatpak/issues/2782
flatpak versions since 0.8.1 (and Debian's 0.8.0-2, which has backports
of the upstream changes that became 0.8.1) attempt to prevent malicious
apps from escalating their privileges by injecting commands into the
controlling terminal with the TIOCSTI ioctl (CVE-2017-5226).
This fix was incomplete: on 64-bit platforms, seccomp looks at the whole
64-bit word, but the kernel only looks at the low 32 bits. This means we
also have to block commands like (0x1234567800000000 | TIOCSTI).
CVE-2019-10063 has been allocated for this vulnerability, which closely
resembles CVE-2019-7303 in snapd.
Mitigation: as usual with Flatpak sandbox bypasses, this can only be
exploited if you install a malicious app from a trusted source. The
sandbox parameters used for most apps are currently sufficiently weak
that a malicious app could do other equally bad things that we cannot
prevent, for example by abusing the X11 protocol.
For the testing/unstable distribution (buster/sid) this will be fixed
in version 1.2.4, or in 1.2.3-2 if 1.2.4 isn't released soon.
For the stable distribution (stretch) upstream do not intend to do a
new 0.8.x release, so this will have to be fixed by backporting. It's
a simple backport.
Security team: I assume you probably won't want to do a DSA for this?
smcv
More information about the Pkg-utopia-maintainers
mailing list