On Mon, Jan 09, 2017 at 05:29:11PM +0000, Simon McVittie wrote:
> Control: reassign 850702 bubblewrap 0~git160513-1
> Control: forwarded 850702
> https://github.com/projectatomic/bubblewrap/issues/142
> Control: tags 850702 + security upstream
>
> On Mon, 09 Jan 2017 at 14:19:36 +0100, up201407...@alunos.dcc.fc.up.pt wrote:
> > When executing a program via the bubblewrap sandbox, the nonpriv
> > session can escape to the parent session by using the TIOCSTI ioctl to
> > push characters into the terminal's input buffer, allowing an attacker
> > to escape the sandbox.
>
> Thanks. Do you have a proposed or preferred solution for this?
This affects a range of other packages:
login: CVE-2005-4890
policycoreutils: CVE-2016-7545
coreutils: CVE-2016-2781
util-linux: CVE-2016-2779
policykit: CVE-2016-2568
I think we should just restrict the ioctl to non-privileged users...
Cheers,
Moritz
