packages/flatpak
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
flatpak/CVE-2023-28100.patch

86 lines
3.0 KiB
Diff
Raw Normal View History

Fix CVE-2023-28100 and CVE-2023-28101 and Fix several memory leaks (cherry picked from commit 6fe17b7f232e7c9530c41cff1c634d3cbad5ef28)
2024-03-28 15:25:16 +08:00
From a9bf18040cc075a70657c6090a59d7f6fe78f893 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Wed, 15 Mar 2023 09:58:56 +0000
Subject: [PATCH] run: Prevent TIOCLINUX ioctl, the same as TIOCSTI
The TIOCLINUX ioctl is only available on Linux virtual consoles such as
/dev/tty1. It has several Linux-specific functions, one of which is a
copy/paste operation which can be used for attacks similar to TIOCSTI.
This vulnerability does not affect typical graphical terminal emulators
such as xterm, gnome-terminal and Konsole, and Flatpak is primarily
designed to be run from a Wayland or X11 graphical environment, so this
is relatively unlikely to be a practical problem.
CVE-2023-28100, GHSA-7qpw-3vjv-xrqp
Resolves: https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp
Signed-off-by: Simon McVittie <smcv@debian.org>
---
common/flatpak-run.c | 4 ++++
tests/test-seccomp.sh | 8 +++++++-
tests/try-syscall.c | 9 +++++++++
3 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 1c43ca7205..c4dcaca9e6 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2872,6 +2872,10 @@ setup_seccomp (FlatpakBwrap *bwrap,
/* Don't allow faking input to the controlling tty (CVE-2017-5226) */
{SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)},
+ /* In the unlikely event that the controlling tty is a Linux virtual
+ * console (/dev/tty2 or similar), copy/paste operations have an effect
+ * similar to TIOCSTI (CVE-2023-28100) */
+ {SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCLINUX)},
/* seccomp can't look into clone3()'s struct clone_args to check whether
* the flags are OK, so we have no choice but to block clone3().
diff --git a/tests/test-seccomp.sh b/tests/test-seccomp.sh
index 72b0dad231..be6fb085d0 100755
--- a/tests/test-seccomp.sh
+++ b/tests/test-seccomp.sh
@@ -8,7 +8,7 @@ set -euo pipefail
skip_without_bwrap
-echo "1..16"
+echo "1..18"
setup_repo
install_repo
@@ -80,6 +80,12 @@ for extra_argv in "" "--allow=multiarch"; do
ok "ioctl TIOCSTI with high bits blocked (CVE-2019-10063)"
fi
+ echo "# ioctl TIOCLINUX (CVE-2023-28100)"
+ e=0
+ try_syscall "ioctl TIOCLINUX" || e="$?"
+ assert_streq "$e" "$EPERM"
+ ok "ioctl TIOCLINUX blocked"
+
echo "# listen (benign)"
e=0
try_syscall "listen" || e="$?"
diff --git a/tests/try-syscall.c b/tests/try-syscall.c
index 84a0ca6673..9dab899ba3 100644
--- a/tests/try-syscall.c
+++ b/tests/try-syscall.c
@@ -144,6 +144,15 @@ main (int argc, char **argv)
}
}
#endif
+ else if (strcmp (arg, "ioctl TIOCLINUX") == 0)
+ {
+ /* If not blocked by seccomp, this will fail with EBADF */
+ if (ioctl (-1, TIOCLINUX, WRONG_POINTER) != 0)
+ {
+ errsv = errno;
+ perror (arg);
+ }
+ }
else if (strcmp (arg, "listen") == 0)
{
/* If not blocked by seccomp, this will fail with EBADF */
Reference in New Issue Copy Permalink