An issue was discovered in GNOME Nautilus 3.30 prior to 3.30.6 and 3.32 prior to 3.32.1. A compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl to push characters into the input buffer of the thumbnailer's controlling terminal, allowing an attacker to escape the sandbox if the thumbnailer has a controlling terminal. This is due to improper filtering of the TIOCSTI ioctl on 64-bit systems, similar to CVE-2019-10063. Reference: https://gitlab.gnome.org/GNOME/nautilus/issues/987
Created nautilus tracking bugs for this issue: Affects: fedora-all [bug 1711145]
Analysis: This is the same issue as CVE-2019-10063 except that this one affects the nautilus package using seccomp filter. The attack vector is a malicious thumbnailer. A thumbnailer is a program with no user interface that takes a file and a pixel size as inputs, and it writes a thumbnail for that file. GNOME determines which thumbnailer program to use based on the MIME type of the file for which a thumbnail is to be generated. The thumbernailer is confined by the seccomp filter. The attacker will need to install a malicious thumbernailer program for successful exploitation. https://developer.gnome.org/integration-guide/stable/thumbnailer.html.en
Upstream patch: https://gitlab.gnome.org/GNOME/nautilus/commit/2ddba428ef2b13d0620bd599c3635b9c11044659
The versions of nautilus used with Red Hat Enterprise Linux 7 and 8, does not bundle the sandbox code, but it uses the code from gnome-desktop as a dependency. gnome-desktop has a similar issue (sandbox bypass due to same bundled code) and has been assigned CVE-2019-11460.