CVE-2019-10063
flatpak: Sandbox bypass via IOCSTI (incomplete fix for CVE-2017-5226)
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allows a sandbox bypass. Flatpak versions since 0.8.1 address CVE-2017-5226 by using a seccomp filter to prevent sandboxed apps from using the TIOCSTI ioctl, which could otherwise be used to inject commands into the controlling terminal so that they would be executed outside the sandbox after the sandboxed app exits. This fix was incomplete: on 64-bit platforms, the seccomp filter could be bypassed by an ioctl request number that has TIOCSTI in its 32 least significant bits and an arbitrary nonzero value in its 32 most significant bits, which the Linux kernel would treat as equivalent to TIOCSTI.
Flatpak, en versiones anteriores a la 1.0.8, 1.1.x y 1.2.x anteriores a la 1.2.4, y en las versiones 1.3.x anteriores a la 1.3.1, permite omitir el sandbox. Las versiones de Flatpak desde la 0.8.1 abordan CVE-2017-5226 mediante un filtro seccomp para evitar que las aplicaciones del sandbox empleen el ioctl TIOCSTI, que podría emplearse para inyectar comandos en la terminal de control para que se ejecuten fuera del sandbox una vez la aplicación en el sandbox se cierra. La solución estaba incompleta: en las plataformas de 64 bits, el filtro seccomp podría ser omitido por un número de petición ioctl que tiene TIOCSTI en los 32 bits menos significativos y un valor arbitrario que no es cero en sus 32 bits más significativos, lo que el kernel de Linux trataría como un equivalente a TIOCSTI.
An incomplete fix for CVE-2017-5226 was found in flatpak. A sandbox bypass flaw was found in the way bubblewrap, which is used for sandboxing flatpak applications handled the TIOCSTI ioctl. A malicious flatpak application could use this flaw to inject commands into the controlled terminal of the host after the flatpak applications exits. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-03-26 CVE Reserved
- 2019-03-26 CVE Published
- 2024-03-19 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-266: Incorrect Privilege Assignment
CAPEC
References (5)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/flatpak/flatpak/issues/2782 | 2019-05-13 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2019:1024 | 2019-05-13 | |
| https://access.redhat.com/errata/RHSA-2019:1143 | 2019-05-13 | |
| https://access.redhat.com/security/cve/CVE-2019-10063 | 2019-05-13 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1695973 | 2019-05-13 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Flatpak Search vendor "Flatpak" | Flatpak Search vendor "Flatpak" for product "Flatpak" | < 1.0.8 Search vendor "Flatpak" for product "Flatpak" and version " < 1.0.8" | - |
Affected
| ||||||
| Flatpak Search vendor "Flatpak" | Flatpak Search vendor "Flatpak" for product "Flatpak" | >= 1.1.0 <= 1.1.3 Search vendor "Flatpak" for product "Flatpak" and version " >= 1.1.0 <= 1.1.3" | - |
Affected
| ||||||
| Flatpak Search vendor "Flatpak" | Flatpak Search vendor "Flatpak" for product "Flatpak" | >= 1.2.0 < 1.2.4 Search vendor "Flatpak" for product "Flatpak" and version " >= 1.2.0 < 1.2.4" | - |
Affected
| ||||||
| Flatpak Search vendor "Flatpak" | Flatpak Search vendor "Flatpak" for product "Flatpak" | 1.3.0 Search vendor "Flatpak" for product "Flatpak" and version "1.3.0" | - |
Affected
| ||||||