Quoting "Simon McVittie" <s...@debian.org>:
Control: reassign 850702 bubblewrap 0~git160513-1
Control: forwarded 850702
https://github.com/projectatomic/bubblewrap/issues/142
Control: tags 850702 + security upstream
On Mon, 09 Jan 2017 at 14:19:36 +0100, up201407...@alunos.dcc.fc.up.pt wrote:
When executing a program via the bubblewrap sandbox, the nonpriv
session can escape to the parent session by using the TIOCSTI ioctl to
push characters into the terminal's input buffer, allowing an attacker
to escape the sandbox.
Thanks. Do you have a proposed or preferred solution for this?
Using setsid(), for example.
Please direct any further correspondence about this bug upstream if
possible: I've opened a GitHub bug
https://github.com/projectatomic/bubblewrap/issues/142 for that.
This has been assigned CVE-2017-5226.
Assigned by whom?
It was assigned by MITRE, using their web form.
If you are auditing for security vulnerabilities, please try to follow the
normal disclosure best-practices: in particular, if a vulnerability is not
already public, please contact upstream maintainers privately first, to
give them a chance to fix a vulnerability before the general public know
about it.
Sorry about that.
As for blocking the ioctl, that breaks legitimate use.
I had this discussion with Stanislav Brabec, from SUSE a while ago.
"Just for curiosity, I just ran grep for TIOCSTI ioctl() over all
openSUSE sources. I got about 60 matches.
I analyzed use of some cases:
util-linux: used in agetty in wait_for_term_input()
kbd: contrib utility sti equal to tiocsti utility.
irda: Used by handle_scancode() to emulate input.
tcsh: Used in ed mode and in pushback().
emacs: Used in stuff_char() (putting char to be read from terminal)
..."
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
