CVE-2019-10063
published 2019-03-26CVE-2019-10063: Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allows a sandbox bypass. Flatpak versions since 0.8.1 address CVE-2017-5226 by using…
PriorityP352critical9CVSS 3.0
AVNACHPRNUINSCCHIHAH
EPSS
1.91%
77.2th percentile
Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allows a sandbox bypass. Flatpak versions since 0.8.1 address CVE-2017-5226 by using a seccomp filter to prevent sandboxed apps from using the TIOCSTI ioctl, which could otherwise be used to inject commands into the controlling terminal so that they would be executed outside the sandbox after the sandboxed app exits. This fix was incomplete: on 64-bit platforms, the seccomp filter could be bypassed by an ioctl request number that has TIOCSTI in its 32 least significant bits and an arbitrary nonzero value in its 32 most significant bits, which the Linux kernel would treat as equivalent to TIOCSTI.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | flatpak | < flatpak 1.2.3-2 (bookworm) | flatpak 1.2.3-2 (bookworm) |
| debian | gnome-desktop3 | < gnome-desktop3 3.30.2.1-2 (bullseye) | gnome-desktop3 3.30.2.1-2 (bullseye) |
| debian | nautilus | < nautilus 3.30.5-2 (bookworm) | nautilus 3.30.5-2 (bookworm) |
| flatpak | flatpak | < 1.0.8 | 1.0.8 |
| flatpak | flatpak | — | — |
| flatpak | flatpak | >= 0 < 1.2.3-2 | 1.2.3-2 |
| flatpak | flatpak | >= 0 < 1.2.3-2 | 1.2.3-2 |
| flatpak | flatpak | >= 0 < 1.2.3-2 | 1.2.3-2 |
| flatpak | flatpak | >= 0 < 1.2.3-2 | 1.2.3-2 |
| flatpak | flatpak | 1.1.0 – 1.1.3 | — |
| flatpak | flatpak | >= 1.2.0 < 1.2.4 | 1.2.4 |
| gnome | gnome-desktop | — | — |
| gnome | gnome-desktop | — | — |
| gnome | gnome-desktop | >= 3.30.0 < 3.30.2.2 | 3.30.2.2 |
| gnome | gnome-desktop | >= 3.32.0 < 3.32.1.1 | 3.32.1.1 |
| gnome | nautilus | >= 0 < 3.30.5-2 | 3.30.5-2 |
| gnome | nautilus | >= 0 < 3.30.5-2 | 3.30.5-2 |
| gnome | nautilus | >= 0 < 3.30.5-2 | 3.30.5-2 |
| gnome | nautilus | >= 0 < 3.30.5-2 | 3.30.5-2 |
| gnome | nautilus | >= 3.30 < 3.30.6 | 3.30.6 |
| gnome | nautilus | >= 3.32 < 3.32.1 | 3.32.1 |
CVSS provenance
nvdv3.09.0CRITICALCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
nautilus: sandbox security bypass
vendor_redhat·2019-04-13·CVSS 9.0
CVE-2019-11461 [CRITICAL] CWE-358 nautilus: sandbox security bypass
nautilus: sandbox security bypass
An issue was discovered in GNOME Nautilus 3.30 prior to 3.30.6 and 3.32 prior to 3.32.1. A compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl to push characters into the input buffer of the thumbnailer's controlling terminal, allowing an attacker to escape the sandbox if the thumbnailer has a controlling terminal. This is due to improper filtering of the TIOCSTI ioctl on 64-bit systems, similar to CVE-2019-10063.
Package: nautilus (Red Hat Enterprise Linux 5) - Not affected
Package: nautilus (Red Hat Enterprise Linux 6) - Not affected
Package: nautilus (Red Hat Enterprise Linux 7) - Not affected
Package: nautilus (Red Hat Enterprise Linux 8) - Not affected
Red Hat
gnome-desktop: thumbnailer security bypass
vendor_redhat·2019-04-13·CVSS 9.0
CVE-2019-11460 [CRITICAL] CWE-250 gnome-desktop: thumbnailer security bypass
gnome-desktop: thumbnailer security bypass
An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3.30 prior to 3.30.2.2, and 3.32 prior to 3.32.1.1. A compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl to push characters into the input buffer of the thumbnailer's controlling terminal, allowing an attacker to escape the sandbox if the thumbnailer has a controlling terminal. This is due to improper filtering of the TIOCSTI ioctl on 64-bit systems, similar to CVE-2019-10063.
Package: gnome-desktop (Red Hat Enterprise Linux 5) - Not affected
Package: gnome-desktop (Red Hat Enterprise Linux 6) - Not affected
Package: gnome-desktop (Red Hat Enterprise Linux 7) - Not affected
Package: gnome-desktop3 (Red Hat Enterprise L
Red Hat
flatpak: Sandbox bypass via IOCSTI (incomplete fix for CVE-2017-5226)
vendor_redhat·2019-03-22·CVSS 10.0
CVE-2019-10063 [CRITICAL] CWE-266 flatpak: Sandbox bypass via IOCSTI (incomplete fix for CVE-2017-5226)
flatpak: Sandbox bypass via IOCSTI (incomplete fix for CVE-2017-5226)
Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allows a sandbox bypass. Flatpak versions since 0.8.1 address CVE-2017-5226 by using a seccomp filter to prevent sandboxed apps from using the TIOCSTI ioctl, which could otherwise be used to inject commands into the controlling terminal so that they would be executed outside the sandbox after the sandboxed app exits. This fix was incomplete: on 64-bit platforms, the seccomp filter could be bypassed by an ioctl request number that has TIOCSTI in its 32 least significant bits and an arbitrary nonzero value in its 32 most significant bits, which the Linux kernel would treat as equivalent to TIOCSTI.
An incomplete fix for CVE-2017-5226 was found in
Debian
CVE-2019-10063: flatpak - Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allow...
vendor_debian·2019·CVSS 10.0
CVE-2019-10063 [CRITICAL] CVE-2019-10063: flatpak - Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allow...
Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allows a sandbox bypass. Flatpak versions since 0.8.1 address CVE-2017-5226 by using a seccomp filter to prevent sandboxed apps from using the TIOCSTI ioctl, which could otherwise be used to inject commands into the controlling terminal so that they would be executed outside the sandbox after the sandboxed app exits. This fix was incomplete: on 64-bit platforms, the seccomp filter could be bypassed by an ioctl request number that has TIOCSTI in its 32 least significant bits and an arbitrary nonzero value in its 32 most significant bits, which the Linux kernel would treat as equivalent to TIOCSTI.
Scope: local
bookworm: resolved (fixed in 1.2.3-2)
bullseye: resolved (fixed in 1.2.3-2)
forky: resolved (fixed in 1.2.3-
Debian
CVE-2019-11460: gnome-desktop3 - An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3.30 prior to 3.3...
vendor_debian·2019·CVSS 9.0
CVE-2019-11460 [CRITICAL] CVE-2019-11460: gnome-desktop3 - An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3.30 prior to 3.3...
An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3.30 prior to 3.30.2.2, and 3.32 prior to 3.32.1.1. A compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl to push characters into the input buffer of the thumbnailer's controlling terminal, allowing an attacker to escape the sandbox if the thumbnailer has a controlling terminal. This is due to improper filtering of the TIOCSTI ioctl on 64-bit systems, similar to CVE-2019-10063.
Scope: local
bullseye: resolved (fixed in 3.30.2.1-2)
Debian
CVE-2019-11461: nautilus - An issue was discovered in GNOME Nautilus 3.30 prior to 3.30.6 and 3.32 prior to...
vendor_debian·2019·CVSS 9.0
CVE-2019-11461 [CRITICAL] CVE-2019-11461: nautilus - An issue was discovered in GNOME Nautilus 3.30 prior to 3.30.6 and 3.32 prior to...
An issue was discovered in GNOME Nautilus 3.30 prior to 3.30.6 and 3.32 prior to 3.32.1. A compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl to push characters into the input buffer of the thumbnailer's controlling terminal, allowing an attacker to escape the sandbox if the thumbnailer has a controlling terminal. This is due to improper filtering of the TIOCSTI ioctl on 64-bit systems, similar to CVE-2019-10063.
Scope: local
bookworm: resolved (fixed in 3.30.5-2)
bullseye: resolved (fixed in 3.30.5-2)
forky: resolved (fixed in 3.30.5-2)
sid: resolved (fixed in 3.30.5-2)
trixie: resolved (fixed in 3.30.5-2)
GHSA
GHSA-jjgg-8c74-rh96: An issue was discovered in GNOME Nautilus 3
ghsa_unreviewed·2022-05-24·CVSS 9.0
CVE-2019-11461 [CRITICAL] GHSA-jjgg-8c74-rh96: An issue was discovered in GNOME Nautilus 3
An issue was discovered in GNOME Nautilus 3.30 prior to 3.30.6 and 3.32 prior to 3.32.1. A compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl to push characters into the input buffer of the thumbnailer's controlling terminal, allowing an attacker to escape the sandbox if the thumbnailer has a controlling terminal. This is due to improper filtering of the TIOCSTI ioctl on 64-bit systems, similar to CVE-2019-10063.
GHSA
GHSA-wqw3-2245-pjp7: An issue was discovered in GNOME gnome-desktop 3
ghsa_unreviewed·2022-05-24·CVSS 9.0
CVE-2019-11460 [CRITICAL] CWE-20 GHSA-wqw3-2245-pjp7: An issue was discovered in GNOME gnome-desktop 3
An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3.30 prior to 3.30.2.2, and 3.32 prior to 3.32.1.1. A compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl to push characters into the input buffer of the thumbnailer's controlling terminal, allowing an attacker to escape the sandbox if the thumbnailer has a controlling terminal. This is due to improper filtering of the TIOCSTI ioctl on 64-bit systems, similar to CVE-2019-10063.
GHSA
GHSA-mc9j-733x-89cx: Flatpak before 1
ghsa_unreviewed·2022-05-14·CVSS 10.0
CVE-2019-10063 [CRITICAL] CWE-20 GHSA-mc9j-733x-89cx: Flatpak before 1
Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allows a sandbox bypass. Flatpak versions since 0.8.1 address CVE-2017-5226 by using a seccomp filter to prevent sandboxed apps from using the TIOCSTI ioctl, which could otherwise be used to inject commands into the controlling terminal so that they would be executed outside the sandbox after the sandboxed app exits. This fix was incomplete: on 64-bit platforms, the seccomp filter could be bypassed by an ioctl request number that has TIOCSTI in its 32 least significant bits and an arbitrary nonzero value in its 32 most significant bits, which the Linux kernel would treat as equivalent to TIOCSTI.
OSV
CVE-2019-11461: An issue was discovered in GNOME Nautilus 3
osv·2019-04-22·CVSS 9.0
CVE-2019-11461 [CRITICAL] CVE-2019-11461: An issue was discovered in GNOME Nautilus 3
An issue was discovered in GNOME Nautilus 3.30 prior to 3.30.6 and 3.32 prior to 3.32.1. A compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl to push characters into the input buffer of the thumbnailer's controlling terminal, allowing an attacker to escape the sandbox if the thumbnailer has a controlling terminal. This is due to improper filtering of the TIOCSTI ioctl on 64-bit systems, similar to CVE-2019-10063.
OSV
CVE-2019-11460: An issue was discovered in GNOME gnome-desktop 3
osv·2019-04-22·CVSS 9.0
CVE-2019-11460 [CRITICAL] CVE-2019-11460: An issue was discovered in GNOME gnome-desktop 3
An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3.30 prior to 3.30.2.2, and 3.32 prior to 3.32.1.1. A compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl to push characters into the input buffer of the thumbnailer's controlling terminal, allowing an attacker to escape the sandbox if the thumbnailer has a controlling terminal. This is due to improper filtering of the TIOCSTI ioctl on 64-bit systems, similar to CVE-2019-10063.
OSV
CVE-2019-10063: Flatpak before 1
osv·2019-03-26·CVSS 10.0
CVE-2019-10063 [CRITICAL] CVE-2019-10063: Flatpak before 1
Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allows a sandbox bypass. Flatpak versions since 0.8.1 address CVE-2017-5226 by using a seccomp filter to prevent sandboxed apps from using the TIOCSTI ioctl, which could otherwise be used to inject commands into the controlling terminal so that they would be executed outside the sandbox after the sandboxed app exits. This fix was incomplete: on 64-bit platforms, the seccomp filter could be bypassed by an ioctl request number that has TIOCSTI in its 32 least significant bits and an arbitrary nonzero value in its 32 most significant bits, which the Linux kernel would treat as equivalent to TIOCSTI.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-11460 gnome-desktop: thumbnailer security bypass
bugzilla·2019-06-03·CVSS 9.0
CVE-2019-11460 [CRITICAL] CVE-2019-11460 gnome-desktop: thumbnailer security bypass
CVE-2019-11460 gnome-desktop: thumbnailer security bypass
An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3.30 prior to 3.30.2.2, and 3.32 prior to 3.32.1.1. A compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl to push characters into the input buffer of the thumbnailer's controlling terminal, allowing an attacker to escape the sandbox if the thumbnailer has a controlling terminal. This is due to improper filtering of the TIOCSTI ioctl on 64-bit systems, similar to CVE-2019-10063.
Reference:
https://gitlab.gnome.org/GNOME/gnome-desktop/issues/112
Discussion:
Created gnome-desktop tracking bugs for this issue:
Affects: fedora-all [bug 1716290]
Created gnome-desktop3 tracking bugs for this issue:
Affects: f
Bugzilla
CVE-2019-11461 nautilus: sandbox security bypass
bugzilla·2019-05-17·CVSS 9.0
CVE-2019-11461 [CRITICAL] CVE-2019-11461 nautilus: sandbox security bypass
CVE-2019-11461 nautilus: sandbox security bypass
An issue was discovered in GNOME Nautilus 3.30 prior to 3.30.6 and 3.32 prior to 3.32.1. A compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl to push characters into the input buffer of the thumbnailer's controlling terminal, allowing an attacker to escape the sandbox if the thumbnailer has a controlling terminal. This is due to improper filtering of the TIOCSTI ioctl on 64-bit systems, similar to CVE-2019-10063.
Reference:
https://gitlab.gnome.org/GNOME/nautilus/issues/987
Discussion:
Created nautilus tracking bugs for this issue:
Affects: fedora-all [bug 1711145]
---
Analysis:
This is the same issue as CVE-2019-10063 except that this one affects the nautilus package usi
Bugzilla
CVE-2019-10063 flatpak: Sandbox bypass via IOCSTI (incomplete fix for CVE-2017-5226) [fedora-all]
bugzilla·2019-04-04·CVSS 10.0
CVE-2019-10063 [CRITICAL] CVE-2019-10063 flatpak: Sandbox bypass via IOCSTI (incomplete fix for CVE-2017-5226) [fedora-all]
CVE-2019-10063 flatpak: Sandbox bypass via IOCSTI (incomplete fix for CVE-2017-5226) [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multipl
Bugzilla
CVE-2019-10063 flatpak: Sandbox bypass via IOCSTI (incomplete fix for CVE-2017-5226)
bugzilla·2019-04-04·CVSS 10.0
CVE-2019-10063 [CRITICAL] CVE-2019-10063 flatpak: Sandbox bypass via IOCSTI (incomplete fix for CVE-2017-5226)
CVE-2019-10063 flatpak: Sandbox bypass via IOCSTI (incomplete fix for CVE-2017-5226)
Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allows a sandbox bypass. Flatpak versions since 0.8.1 address CVE-2017-5226 by using a seccomp filter to prevent sandboxed apps from using the TIOCSTI ioctl, which could otherwise be used to inject commands into the controlling terminal so that they would be executed outside the sandbox after the sandboxed app exits. This fix was incomplete: on 64-bit platforms, the seccomp filter could be bypassed by an ioctl request number that has TIOCSTI in its 32 least significant bits and an arbitrary nonzero value in its 32 most significant bits, which the Linux kernel would treat as equivalent to TIOCSTI.
Upstream issue:
https://github.co
2019-03-26
Published