SB2017032918 - Security restrictions bypass in Bubblewrap
Published: March 29, 2017 Updated: March 20, 2023
Security Bulletin ID
SB2017032918
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Input validation error (CVE-ID: CVE-2017-5226)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input. The non-privileged session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the sandbox.
Remediation
Install update from vendor's website.
References
- https://github.com/projectatomic/bubblewrap/issues/142
- https://github.com/projectatomic/bubblewrap/commit/d7fc532c42f0e9bf427923bab85433282b3e5117
- https://bugzilla.redhat.com/show_bug.cgi?id=1411811
- http://www.securityfocus.com/bid/97260
- http://www.openwall.com/lists/oss-security/2020/07/10/1
- https://www.openwall.com/lists/oss-security/2023/03/14/2
- http://www.openwall.com/lists/oss-security/2023/03/17/1