Bug 1711144 (CVE-2019-11461)

Summary: CVE-2019-11461 nautilus: sandbox security bypass
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: alexl, caillon+fedoraproject, cosimo.cecchi, csoriano, gnome-sig, john.j5live, mclasen, rhughes, sandmann
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nautilus 3.30.6, nautilus 3.32.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-03 05:51:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1711145, 1714934, 1714935    
Bug Blocks: 1711146    

Description Dhananjay Arunesh 2019-05-17 05:44:57 UTC 
An issue was discovered in GNOME Nautilus 3.30 prior to 3.30.6 and 3.32 prior to 3.32.1. A compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl to push characters into the input buffer of the thumbnailer's controlling terminal, allowing an attacker to escape the sandbox if the thumbnailer has a controlling terminal. This is due to improper filtering of the TIOCSTI ioctl on 64-bit systems, similar to CVE-2019-10063.

Reference:
https://gitlab.gnome.org/GNOME/nautilus/issues/987
Comment 1 Dhananjay Arunesh 2019-05-17 05:46:16 UTC 
Created nautilus tracking bugs for this issue:

Affects: fedora-all [bug 1711145]
Comment 2 Huzaifa S. Sidhpurwala 2019-05-29 08:37:43 UTC 
Analysis:

This is the same issue as CVE-2019-10063 except that this one affects the nautilus package using seccomp filter. The attack vector is a malicious thumbnailer. A thumbnailer is a program with no user interface that takes a file and a pixel size as inputs, and it writes a thumbnail for that file. GNOME determines which thumbnailer program to use based on the MIME type of the file for which a thumbnail is to be generated. The thumbernailer is confined by the seccomp filter. The attacker will need to install a malicious thumbernailer program for successful exploitation.

https://developer.gnome.org/integration-guide/stable/thumbnailer.html.en
Comment 4 Huzaifa S. Sidhpurwala 2019-05-29 08:42:18 UTC 
Upstream patch: https://gitlab.gnome.org/GNOME/nautilus/commit/2ddba428ef2b13d0620bd599c3635b9c11044659
Comment 5 Huzaifa S. Sidhpurwala 2019-06-03 05:50:14 UTC 
The versions of nautilus used with Red Hat Enterprise Linux 7 and 8, does not bundle the sandbox code, but it uses the code from gnome-desktop as a dependency. gnome-desktop has a similar issue (sandbox bypass due to same bundled code) and has been assigned  CVE-2019-11460.