From 8e63de9a7d3124f91140fc74f8ca9ed73ed53be9 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Wed, 15 Mar 2023 09:58:56 +0000 Subject: [PATCH] run: Prevent TIOCLINUX ioctl, the same as TIOCSTI The TIOCLINUX ioctl is only available on Linux virtual consoles such as /dev/tty1. It has several Linux-specific functions, one of which is a copy/paste operation which can be used for attacks similar to TIOCSTI. This vulnerability does not affect typical graphical terminal emulators such as xterm, gnome-terminal and Konsole, and Flatpak is primarily designed to be run from a Wayland or X11 graphical environment, so this is relatively unlikely to be a practical problem. CVE-2023-28100, GHSA-7qpw-3vjv-xrqp Resolves: https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp Signed-off-by: Simon McVittie --- common/flatpak-run.c | 4 ++++ tests/test-seccomp.sh | 8 +++++++- tests/try-syscall.c | 9 +++++++++ 3 files changed, 20 insertions(+), 1 deletion(-) Index: flatpak-1.4.2/common/flatpak-run.c =================================================================== --- flatpak-1.4.2.orig/common/flatpak-run.c +++ flatpak-1.4.2/common/flatpak-run.c @@ -2471,6 +2471,10 @@ setup_seccomp (FlatpakBwrap *bwrap, /* Don't allow faking input to the controlling tty (CVE-2017-5226) */ {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)}, + /* In the unlikely event that the controlling tty is a Linux virtual + * console (/dev/tty2 or similar), copy/paste operations have an effect + * similar to TIOCSTI (CVE-2023-28100) */ + {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCLINUX)}, }; struct