[Pkg-utopia-maintainers] Bug#925541: CVE-2019-10063: incomplete TIOCSTI filtering, similar to snapd's CVE-2019-7303
Salvatore Bonaccorso
carnil at debian.org
Tue Mar 26 20:35:31 GMT 2019
Hi Simon,
On Tue, Mar 26, 2019 at 03:28:03PM +0000, Simon McVittie wrote:
> Package: flatpak
> Version: 0.8.0-2
> Severity: important
> Tags: patch security upstream
> Forwarded: https://github.com/flatpak/flatpak/issues/2782
>
> flatpak versions since 0.8.1 (and Debian's 0.8.0-2, which has backports
> of the upstream changes that became 0.8.1) attempt to prevent malicious
> apps from escalating their privileges by injecting commands into the
> controlling terminal with the TIOCSTI ioctl (CVE-2017-5226).
>
> This fix was incomplete: on 64-bit platforms, seccomp looks at the whole
> 64-bit word, but the kernel only looks at the low 32 bits. This means we
> also have to block commands like (0x1234567800000000 | TIOCSTI).
> CVE-2019-10063 has been allocated for this vulnerability, which closely
> resembles CVE-2019-7303 in snapd.
>
> Mitigation: as usual with Flatpak sandbox bypasses, this can only be
> exploited if you install a malicious app from a trusted source. The
> sandbox parameters used for most apps are currently sufficiently weak
> that a malicious app could do other equally bad things that we cannot
> prevent, for example by abusing the X11 protocol.
>
> For the testing/unstable distribution (buster/sid) this will be fixed
> in version 1.2.4, or in 1.2.3-2 if 1.2.4 isn't released soon.
>
> For the stable distribution (stretch) upstream do not intend to do a
> new 0.8.x release, so this will have to be fixed by backporting. It's
> a simple backport.
>
> Security team: I assume you probably won't want to do a DSA for this?
Ack. Can you fix the issue via (upcoming) point release for stretch?
Salvatore
More information about the Pkg-utopia-maintainers
mailing list