CVE-2019-10063: incomplete TIOCSTI filtering, similar to snapd's CVE-2019-7303

Debian Bug report logs - #925541
CVE-2019-10063: incomplete TIOCSTI filtering, similar to snapd's CVE-2019-7303

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2019-10063: incomplete TIOCSTI filtering, similar to snapd's CVE-2019-7303

Date: Tue, 26 Mar 2019 15:28:03 +0000

Package: flatpak
Version: 0.8.0-2
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/flatpak/flatpak/issues/2782

flatpak versions since 0.8.1 (and Debian's 0.8.0-2, which has backports
of the upstream changes that became 0.8.1) attempt to prevent malicious
apps from escalating their privileges by injecting commands into the
controlling terminal with the TIOCSTI ioctl (CVE-2017-5226).

This fix was incomplete: on 64-bit platforms, seccomp looks at the whole
64-bit word, but the kernel only looks at the low 32 bits. This means we
also have to block commands like (0x1234567800000000 | TIOCSTI).
CVE-2019-10063 has been allocated for this vulnerability, which closely
resembles CVE-2019-7303 in snapd.

Mitigation: as usual with Flatpak sandbox bypasses, this can only be
exploited if you install a malicious app from a trusted source. The
sandbox parameters used for most apps are currently sufficiently weak
that a malicious app could do other equally bad things that we cannot
prevent, for example by abusing the X11 protocol.

For the testing/unstable distribution (buster/sid) this will be fixed
in version 1.2.4, or in 1.2.3-2 if 1.2.4 isn't released soon.

For the stable distribution (stretch) upstream do not intend to do a
new 0.8.x release, so this will have to be fixed by backporting. It's
a simple backport.

Security team: I assume you probably won't want to do a DSA for this?

    smcv

Message #10 received at 925541@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Simon McVittie <smcv@debian.org>, 925541@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#925541: CVE-2019-10063: incomplete TIOCSTI filtering, similar to snapd's CVE-2019-7303

Date: Tue, 26 Mar 2019 21:35:31 +0100

Hi Simon,

On Tue, Mar 26, 2019 at 03:28:03PM +0000, Simon McVittie wrote:
> Package: flatpak
> Version: 0.8.0-2
> Severity: important
> Tags: patch security upstream
> Forwarded: https://github.com/flatpak/flatpak/issues/2782
> 
> flatpak versions since 0.8.1 (and Debian's 0.8.0-2, which has backports
> of the upstream changes that became 0.8.1) attempt to prevent malicious
> apps from escalating their privileges by injecting commands into the
> controlling terminal with the TIOCSTI ioctl (CVE-2017-5226).
> 
> This fix was incomplete: on 64-bit platforms, seccomp looks at the whole
> 64-bit word, but the kernel only looks at the low 32 bits. This means we
> also have to block commands like (0x1234567800000000 | TIOCSTI).
> CVE-2019-10063 has been allocated for this vulnerability, which closely
> resembles CVE-2019-7303 in snapd.
> 
> Mitigation: as usual with Flatpak sandbox bypasses, this can only be
> exploited if you install a malicious app from a trusted source. The
> sandbox parameters used for most apps are currently sufficiently weak
> that a malicious app could do other equally bad things that we cannot
> prevent, for example by abusing the X11 protocol.
> 
> For the testing/unstable distribution (buster/sid) this will be fixed
> in version 1.2.4, or in 1.2.3-2 if 1.2.4 isn't released soon.
> 
> For the stable distribution (stretch) upstream do not intend to do a
> new 0.8.x release, so this will have to be fixed by backporting. It's
> a simple backport.
> 
> Security team: I assume you probably won't want to do a DSA for this?

Ack. Can you fix the issue via (upcoming) point release for stretch?

Salvatore

Message #15 received at 925541@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 925541@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#925541: CVE-2019-10063: incomplete TIOCSTI filtering, similar to snapd's CVE-2019-7303

Date: Tue, 26 Mar 2019 21:02:56 +0000

On Tue, 26 Mar 2019 at 21:35:31 +0100, Salvatore Bonaccorso wrote:
> On Tue, Mar 26, 2019 at 03:28:03PM +0000, Simon McVittie wrote:
> > Security team: I assume you probably won't want to do a DSA for this?
> 
> Ack. Can you fix the issue via (upcoming) point release for stretch?

Yes, that should be fine.

    smcv

Message #20 received at 925541-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 925541-close@bugs.debian.org

Subject: Bug#925541: fixed in flatpak 1.2.3-2

Date: Tue, 26 Mar 2019 22:03:45 +0000

Source: flatpak
Source-Version: 1.2.3-2

We believe that the bug you reported is fixed in the latest version of
flatpak, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 925541@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated flatpak package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 26 Mar 2019 20:38:36 +0000
Source: flatpak
Architecture: source
Version: 1.2.3-2
Distribution: unstable
Urgency: high
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 925541
Changes:
 flatpak (1.2.3-2) unstable; urgency=high
 .
   * seccomp: Reject all ioctls that the kernel will interpret as TIOCSTI,
     including those where the high 32 bits in a 64-bit word are nonzero.
     (Closes: #925541, CVE-2019-10063)
Checksums-Sha1:
 61ef0933d33b6bbe00c1c06b69eb9b7eda2da484 3330 flatpak_1.2.3-2.dsc
 c043b10e628b82d7c18b552abe60a3e9ab33393c 25392 flatpak_1.2.3-2.debian.tar.xz
 f8aaaa822b6e87accb9161af272482b7184c2c75 11884 flatpak_1.2.3-2_source.buildinfo
Checksums-Sha256:
 ee6c545d07d2c28a60d27cbf081391155050f9988403b38fb805357b3d4b3b7a 3330 flatpak_1.2.3-2.dsc
 d7f9993460881ba5eadfe6bc0b40e87e1d1407537952cbb2a757b922ff256055 25392 flatpak_1.2.3-2.debian.tar.xz
 d24eef16f91efebee631333f713e5e27c86ef935c90bfb02cac28759254112c4 11884 flatpak_1.2.3-2_source.buildinfo
Files:
 8de2130757b04fbb46b94a4841a87656 3330 admin optional flatpak_1.2.3-2.dsc
 aab4dd978b8fc8140a06df17c64ee9c0 25392 admin optional flatpak_1.2.3-2.debian.tar.xz
 70bccc78ec6ee1521321d72f78f94906 11884 admin optional flatpak_1.2.3-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAlyanEkACgkQ4FrhR4+B
TE++uhAAhGJ3wnIX54rmZwJJoJVPj4LVkde/2FsryRFgydXeIGbNWVtlrqNFjFyv
veIwjgaDuUGE1EQebQxFYAPvYEVw3KfIjCDt23I9tiqqMWLAaitrlXuWo1VIdzE2
nUbMZlkgZcpxdF0HhIgC8MRyVZGMcf8d1+y5EgasIX4fffqtbPrnPmNIOze4MJAJ
yO7tiXlyGgcC+QM4vnrRGYksdrghifHK8nvZqmvljnwQ47ijFuv1junP7o8KjWnk
PClJdty/wUeeFxQfKbWh49PMkwOWbyX5nddTMT5T/MTxBz8GPd9yF/e+wUqsgTxM
VknFGEsE25YbsdlaYsTUhqYVgBxURRaOJbbjQ/hPOcms3Wf/jO5AnUupVU4+dHsk
SIR51k8QdlXHPcoUzQ3bRNXD3lZTtqjcdQwZZa3yzonKNcMwLhozg646ShBqrKvA
w4NHf5GpT3sHBg6BRFPfREBvHyEXWSrw6biyqnuVB5fE3NiBRRLW0joBT6rgIEot
lXbMeA6jLmKiTNUyZGO71pnnSYlU8DUVUyyGZGeqqjDOkWN/5aitA+XSlVQ1NS66
XzkDS/zOrcgX3hLBzxYRQ12Arcn1/oO8Zz+NjZ0vvFy1scwmtfEyuXXvAADrCjPa
bX8skzDLTw/7Ru163t1YwcyZH/OxHZk2f296lj5VXMpOeBbkdcs=
=Pbt2
-----END PGP SIGNATURE-----

Message #23 received at 925541-submitter@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <noreply@salsa.debian.org>

To: 925541-submitter@bugs.debian.org

Subject: Bug #925541 in flatpak marked as pending

Date: Tue, 26 Mar 2019 21:57:13 +0000

Control: tag -1 pending

Hello,

Bug #925541 in flatpak reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian/flatpak/commit/70d6be53f6fbbc64710d1a56df1fadeb83c3522a

------------------------------------------------------------------------
seccomp: Reject all ioctls that the kernel will interpret as TIOCSTI

This avoids privilege escalation by malicious apps if the high 32 bits
in a 64-bit word are nonzero and the low 32 bits are TIOCSTI.

CVE-2019-10063

Closes: #925541
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/925541

Message #28 received at 925541-submitter@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <noreply@salsa.debian.org>

To: 925541-submitter@bugs.debian.org

Subject: Bug #925541 in flatpak marked as pending

Date: Tue, 26 Mar 2019 21:40:39 +0000

Control: tag -1 pending

Hello,

Bug #925541 in flatpak reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian/flatpak/commit/f4a4d2866d42110b93d614b2429c1cab15cc82d8

------------------------------------------------------------------------
seccomp: Reject all ioctls that the kernel will interpret as TIOCSTI

This avoids privilege escalation by malicious apps if the high 32 bits
in a 64-bit word are nonzero and the low 32 bits are TIOCSTI.

CVE-2019-10063

Closes: #925541
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/925541

Message #33 received at 925541-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 925541-close@bugs.debian.org

Subject: Bug#925541: fixed in flatpak 0.8.9-0+deb9u3

Date: Sun, 14 Apr 2019 09:32:10 +0000

Source: flatpak
Source-Version: 0.8.9-0+deb9u3

We believe that the bug you reported is fixed in the latest version of
flatpak, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 925541@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated flatpak package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 26 Mar 2019 21:11:16 +0000
Source: flatpak
Binary: flatpak flatpak-builder flatpak-tests gir1.2-flatpak-1.0 libflatpak-dev libflatpak-doc libflatpak0
Architecture: source
Version: 0.8.9-0+deb9u3
Distribution: stretch
Urgency: medium
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
 flatpak    - Application deployment framework for desktop apps
 flatpak-builder - Flatpak application building helper
 flatpak-tests - Application deployment framework for desktop apps (tests)
 gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection)
 libflatpak-dev - Application deployment framework for desktop apps (development)
 libflatpak-doc - Application deployment framework for desktop apps (documentation)
 libflatpak0 - Application deployment framework for desktop apps (library)
Closes: 925541
Changes:
 flatpak (0.8.9-0+deb9u3) stretch; urgency=medium
 .
   * d/p/run-Only-compare-the-lowest-32-ioctl-arg-bits-for-TIOCSTI.patch:
     Reject all ioctls that the kernel will interpret as TIOCSTI,
     including those where the high 32 bits in a 64-bit word are nonzero.
     (Closes: #925541, CVE-2019-10063)
Checksums-Sha1:
 6ed2af8f2ffd9fc2bfeda9eeb2e79a849a5cc093 3021 flatpak_0.8.9-0+deb9u3.dsc
 ac006afff371083fc5693ef110ab784e45401c5d 18992 flatpak_0.8.9-0+deb9u3.debian.tar.xz
 adc1bd1077ecc95489e8c6ee045271b4cad3bf0e 11061 flatpak_0.8.9-0+deb9u3_source.buildinfo
Checksums-Sha256:
 d6c26bb4a80806a87a7ee7b989f38c33bfdb721a04b20dab22d16ec51f06bce6 3021 flatpak_0.8.9-0+deb9u3.dsc
 b63eef3db93fd97fa9ab91cbae11b3805b8b614f52b94f4dc25f9d6becd89470 18992 flatpak_0.8.9-0+deb9u3.debian.tar.xz
 7806e7d6489595edc5c7081f62e0d8e7bccd76c6e5a355bc8c965d05dc1a4ba1 11061 flatpak_0.8.9-0+deb9u3_source.buildinfo
Files:
 0403edcbc763ae0fbb3d2a417e154ca6 3021 admin optional flatpak_0.8.9-0+deb9u3.dsc
 e10033597546a3d38d985a077258e78d 18992 admin optional flatpak_0.8.9-0+deb9u3.debian.tar.xz
 c91fac71fc3e57f27cc8f8e3a4a3a692 11061 admin optional flatpak_0.8.9-0+deb9u3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAlyyUTAACgkQ4FrhR4+B
TE8GWg/8Dp0Kc+S2NFvbwuSAfI3ssUbaBlbAzAl1V/LL3f115k9kBNara8fYKnBK
ZXmEgu4yIJXXB2Qj463wy525lwMum7Z4UEGr/StsRM+UlVrVwt7wfz3ogDKsGZzt
YNe7Id+K+oz1duWKK95eCYBnGhY4XcoTT+HzLlyiDdbK0MFbVKJvETqJe9loamgv
11OETh4GbBq4grEXtPcrhm8o2VMiDc8Zaydgcn3rKPq4Ldadyrlibghytp0pgj8B
T0IDFnUeWkhW6gcBI9qQWtP3VZjdVe0nYKAQru+1oG/gyt7Rj2ZH3HFB5ncgFsk0
4v+LgqTyE8bjVFa3kajJfy6CBM6XslA7zDxtSHBZk7MH974MkTSDXCqgsdYQPkDK
ruNWDM2+INFXg0YXlI0vG9EG0cvpkZMMNRkO0eq9pPPhux7SmRPyXCqQnUR5wdV6
8S3+CZyftLHZYloIj/vAvbH+kjIZxMSlhLbZE7PmV3kBSfXkYl51lw6inYpgNNx8
Q7lOqNMr3Kta2eGlYwS1J0Qz0l20VfleAqIwikK6mUUjG2Ka8dusEYMPiEdSzV3K
7IH+ohd18vJWuqJmMUYXE7J5VQxwlDA72zOZvRMJlA6aWqXlKUGTkUeV54qZx/w1
fURjNgdzDAXyj1EHMlrYHHNr+J3VXPE9uN9cgHvKJzotNfQmIx8=
=sQWO
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.