On Tue, 7 Jul 2026 09:23:26 -0500 Aaron Rainbolt <[email protected]> wrote:
> On Tue, Jul 7, 2026 at 7:47 AM Neal Gompa <[email protected]> wrote: > > > > I don't entirely agree with this assessment. Fixing the handler so > > that it doesn't execute it if it's not marked executable would > > largely mitigate this problem too. > > This does not work. Someone did *exactly* this and I was able to > leverage it to escape sandboxes (vuln report is under embargo at the > moment). When you use a binfmt-misc handler, then when the sandboxed > executable tries to run the program, the kernel runs it *in* the > sandbox. When you use a MIME handler that gates access on the > executable bit, where the handler executes outside of the sandbox, > then when the sandboxed executable calls the MIME handler on a > marked-executable file, the file runs outside of (and thus escapes) > the sandbox. To elaborate on this since the issue is now no longer under embargo: the bug I was referring to was Ubuntu's .jar launcher mechanism. See https://bugs.launchpad.net/bugs/2153100 and https://www.cve.org/CVERecord?id=CVE-2026-10037. -- Aaron
pgp5ZCFHzRBsk.pgp
Description: OpenPGP digital signature
-- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
