2179220 – (CVE-2023-28100) CVE-2023-28100 flatpak: TIOCLINUX can send commands outside sandbox if running on a virtual console

Bug 2179220 (CVE-2023-28100) - CVE-2023-28100 flatpak: TIOCLINUX can send commands outside sandbox if running on a virtual console

Summary: CVE-2023-28100 flatpak: TIOCLINUX can send commands outside sandbox if runnin...

Keywords:
Status:	NEW
Alias:	CVE-2023-28100
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2180311 2180312 2179221 2179222
Blocks:	2179174
TreeView+	depends on / blocked

Reported:	2023-03-17 05:05 UTC by Sandipan Roy
Modified:	2023-07-07 08:30 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Flatpak, a system for building, distributing, and running sandboxed desktop applications on Linux. It contains a vulnerability similar to CVE-2017-5226 but using the `TIOCLINUX` ioctl command instead of `TIOCSTI.` If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal, and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2`, and others.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Sandipan Roy 2023-03-17 05:05:05 UTC

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment.

https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp
https://github.com/flatpak/flatpak/commit/8e63de9a7d3124f91140fc74f8ca9ed73ed53be9
https://marc.info/?l=oss-security&m=167879021709955&w=2

Comment 1 Sandipan Roy 2023-03-17 05:06:42 UTC

Created flatpak tracking bugs for this issue:

Affects: fedora-36 [bug 2179221]
Affects: fedora-37 [bug 2179222]

Note You need to log in before you can comment on or make changes to this bug.