Bug 1711144 (CVE-2019-11461) - CVE-2019-11461 nautilus: sandbox security bypass
Summary: CVE-2019-11461 nautilus: sandbox security bypass
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-11461
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1711145 1714934 1714935
Blocks: 1711146
TreeView+ depends on / blocked
 
Reported: 2019-05-17 05:44 UTC by Dhananjay Arunesh
Modified: 2019-09-29 15:13 UTC (History)
9 users (show)

Fixed In Version: nautilus 3.30.6, nautilus 3.32.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-03 05:51:59 UTC


Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-05-17 05:44:57 UTC
An issue was discovered in GNOME Nautilus 3.30 prior to 3.30.6 and 3.32 prior to 3.32.1. A compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl to push characters into the input buffer of the thumbnailer's controlling terminal, allowing an attacker to escape the sandbox if the thumbnailer has a controlling terminal. This is due to improper filtering of the TIOCSTI ioctl on 64-bit systems, similar to CVE-2019-10063.

Reference:
https://gitlab.gnome.org/GNOME/nautilus/issues/987

Comment 1 Dhananjay Arunesh 2019-05-17 05:46:16 UTC
Created nautilus tracking bugs for this issue:

Affects: fedora-all [bug 1711145]

Comment 2 Huzaifa S. Sidhpurwala 2019-05-29 08:37:43 UTC
Analysis:

This is the same issue as CVE-2019-10063 except that this one affects the nautilus package using seccomp filter. The attack vector is a malicious thumbnailer. A thumbnailer is a program with no user interface that takes a file and a pixel size as inputs, and it writes a thumbnail for that file. GNOME determines which thumbnailer program to use based on the MIME type of the file for which a thumbnail is to be generated. The thumbernailer is confined by the seccomp filter. The attacker will need to install a malicious thumbernailer program for successful exploitation.

https://developer.gnome.org/integration-guide/stable/thumbnailer.html.en

Comment 4 Huzaifa S. Sidhpurwala 2019-05-29 08:42:18 UTC
Upstream patch: https://gitlab.gnome.org/GNOME/nautilus/commit/2ddba428ef2b13d0620bd599c3635b9c11044659

Comment 5 Huzaifa S. Sidhpurwala 2019-06-03 05:50:14 UTC
The versions of nautilus used with Red Hat Enterprise Linux 7 and 8, does not bundle the sandbox code, but it uses the code from gnome-desktop as a dependency. gnome-desktop has a similar issue (sandbox bypass due to same bundled code) and has been assigned  CVE-2019-11460.


Note You need to log in before you can comment on or make changes to this bug.