Bug 2236890 (CVE-2023-1523)

Summary: CVE-2023-1523 snapd: code exec via TIOCLINUX ioctl request
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2236891, 2236892    
Bug Blocks:    

Description Chess Hazlett 2023-09-01 21:36:41 UTC 
Using the TIOCLINUX ioctl request, a malicious snap could inject contents into the input of the controlling terminal which could allow it to cause arbitrary commands to be executed outside of the snap sandbox after the snap exits. Graphical terminal emulators like xterm, gnome-terminal and others are not affected - this can only be exploited when snaps are run on a virtual console.

https://ubuntu.com/security/notices/USN-6125-1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1523
https://github.com/snapcore/snapd/pull/12849
https://marc.info/?l=oss-security&m=167879021709955&w=2
Comment 1 Chess Hazlett 2023-09-01 21:36:57 UTC 
Created snapd tracking bugs for this issue:

Affects: epel-all [bug 2236891]
Affects: fedora-all [bug 2236892]