Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2019-10063: incomplete TIOCSTI filtering, similar to snapd's CVE-2019-7303 #2782

Closed
smcv opened this issue Mar 25, 2019 · 4 comments
Closed

Comments

@smcv
Copy link
Collaborator

smcv commented Mar 25, 2019

On containers/bubblewrap#309, @wland32 wrote:

Snap just had a vulnerability where the TIOCSTI seccomp filter could be circumvented.
https://www.exploit-db.com/exploits/46594

Is bubblewrap also affected by this?

bubblewrap isn't directly affected, because it doesn't try to prevent TIOCSTI, but things like Flatpak that use bubblewrap might well be vulnerable to a very similar attack.

From the snapd advisory, USN-3917-1:

The snapd default seccomp filter for strict mode snaps blocks the use of the ioctl() system call when used with TIOCSTI as the second argument to the system call. Jann Horn discovered that this restriction could be circumvented on 64 bit architectures. A malicious snap could exploit this to bypass intended access restrictions to insert characters into the terminal’s input queue.

and from comments at the beginning of the snapd exploit:

This bytecode performs a 64-bit comparison; however, the syscall entry point for ioctl() is defined with a 32-bit command argument in the kernel:

SYSCALL_DEFINE3(ioctl, unsigned int, fd, unsigned int, cmd, unsigned long, arg)
{
  return ksys_ioctl(fd, cmd, arg);
}

This means that setting a bit in the high half of the command parameter will circumvent the seccomp filter while being ignored by the kernel.

If Flatpak is vulnerable, it will need its own CVE ID, because CVE-2019-7303 is for the snapd codebase.

@alexlarsson
Copy link
Member

I merged the PR and will do a release of 1.2.x and 1.0.x with this.

@smcv can you do the CVE dance to get a number for this?

alexlarsson pushed a commit that referenced this issue Mar 26, 2019
Closes #2782.

Closes: #2783
Approved by: alexlarsson

(cherry picked from commit a9107fe)
alexlarsson pushed a commit that referenced this issue Mar 26, 2019
Closes #2782.

Closes: #2783
Approved by: alexlarsson

(cherry picked from commit a9107fe)
@smcv
Copy link
Collaborator Author

smcv commented Mar 26, 2019

CVE requested. I've assumed that versions >= 1.3.1, 1.2.x >= 1.2.4 and 1.0.x >= 1.0.8 will fix this.

Are you going to do releases for any older branches? Debian stable still has 0.8.x (plus 1.2.x as an official backport) but I can backport the patch if the 0.8.x branch is no longer supported upstream.

@alexlarsson
Copy link
Member

I'm only doing 1.0, 1.2, and 1.3

@smcv
Copy link
Collaborator Author

smcv commented Mar 26, 2019

MITRE has allocated CVE-2019-10063.

@smcv smcv changed the title might be vulnerable to an attack similar to CVE-2019-7303 CVE-2019-10063: incomplete TIOCSTI filtering, similar to snapd's CVE-2019-7303 Mar 26, 2019
gnomesysadmins pushed a commit to GNOME/gnome-desktop that referenced this issue Apr 13, 2019
gnomesysadmins pushed a commit to GNOME/gnome-desktop that referenced this issue Apr 13, 2019
gnomesysadmins pushed a commit to GNOME/gnome-desktop that referenced this issue Apr 13, 2019
gnomesysadmins pushed a commit to GNOME/gnome-desktop that referenced this issue Apr 13, 2019
gnomesysadmins pushed a commit to GNOME/gnome-desktop that referenced this issue Apr 13, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants