Overview

File CVE-2023-28100.patch of Package flatpak.28335

From 8e63de9a7d3124f91140fc74f8ca9ed73ed53be9 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Wed, 15 Mar 2023 09:58:56 +0000
Subject: [PATCH] run: Prevent TIOCLINUX ioctl, the same as TIOCSTI

The TIOCLINUX ioctl is only available on Linux virtual consoles such as
/dev/tty1. It has several Linux-specific functions, one of which is a
copy/paste operation which can be used for attacks similar to TIOCSTI.

This vulnerability does not affect typical graphical terminal emulators
such as xterm, gnome-terminal and Konsole, and Flatpak is primarily
designed to be run from a Wayland or X11 graphical environment, so this
is relatively unlikely to be a practical problem.

CVE-2023-28100, GHSA-7qpw-3vjv-xrqp

Resolves: https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp
Signed-off-by: Simon McVittie <smcv@debian.org>
---
 common/flatpak-run.c  | 4 ++++
 tests/test-seccomp.sh | 8 +++++++-
 tests/try-syscall.c   | 9 +++++++++
 3 files changed, 20 insertions(+), 1 deletion(-)

Index: flatpak-1.2.3/common/flatpak-run.c
===================================================================
--- flatpak-1.2.3.orig/common/flatpak-run.c
+++ flatpak-1.2.3/common/flatpak-run.c
@@ -1884,7 +1884,7 @@ flatpak_run_add_dconf_args (FlatpakBwrap
                                            FLATPAK_METADATA_GROUP_DCONF,
                                            FLATPAK_METADATA_KEY_DCONF_PATHS,
                                            NULL, NULL);
- 
+
   get_dconf_data (app_id, (const char **)settings,
                            &defaults, &defaults_size,
                            &locks, &locks_size);
@@ -2422,6 +2422,10 @@ setup_seccomp (FlatpakBwrap   *bwrap,
 
     /* Don't allow faking input to the controlling tty (CVE-2017-5226) */
     {SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)},
+    /* In the unlikely event that the controlling tty is a Linux virtual
+     * console (/dev/tty2 or similar), copy/paste operations have an effect
+     * similar to TIOCSTI (CVE-2023-28100) */
+    {SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCLINUX)},
 
     /* seccomp can't look into clone3()'s struct clone_args to check whether
      * the flags are OK, so we have no choice but to block clone3().
openSUSE Build Service is sponsored by
Places