Bug 1411811 (CVE-2017-5226)

Summary: CVE-2017-5226 bubblewrap: Nonprivileged session can escape to the parent session by using the TIOCSTI ioctl
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: alexl, lsm5, mclasen, walters
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: bubblewrap 0.1.5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-31 14:00:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1411814, 1411815    
Bug Blocks:    

Description Andrej Nemec 2017-01-10 14:46:44 UTC 
When executing a program via the bubblewrap sandbox, the nonpriv
session can escape to the parent session by using the TIOCSTI ioctl to
push characters into the terminal's input buffer, allowing an attacker
to escape the sandbox.

References:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850702

Upstream bugs:

https://github.com/projectatomic/bubblewrap/issues/142
https://github.com/projectatomic/bubblewrap/pull/143

Upstream patch:

https://github.com/projectatomic/bubblewrap/commit/d7fc532c42f0e9bf427923bab85433282b3e5117
Comment 1 Andrej Nemec 2017-01-10 14:47:24 UTC 
Created bubblewrap tracking bugs for this issue:

Affects: epel-7 [bug 1411815]
Affects: fedora-all [bug 1411814]
Comment 2 Colin Walters 2018-05-31 14:00:42 UTC 
We decided not to change bubblewrap for this; see https://github.com/projectatomic/bubblewrap/pull/150

Effectively it's something software which *uses* flatpak has to choose how to handle.  (Also really the kernel should make it easy to disallow)