Input validation error in Bubblewrap - CVE-2017-5226
Published: March 20, 2023
Vulnerability identifier: #VU73856
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2017-5226
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Bubblewrap
Bubblewrap
Software vendor:
Project Atomic
Project Atomic
Description
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input. The non-privileged session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the sandbox.
Remediation
Install updates from vendor's website.
External links
- https://github.com/projectatomic/bubblewrap/issues/142
- https://github.com/projectatomic/bubblewrap/commit/d7fc532c42f0e9bf427923bab85433282b3e5117
- https://bugzilla.redhat.com/show_bug.cgi?id=1411811
- http://www.securityfocus.com/bid/97260
- http://www.openwall.com/lists/oss-security/2020/07/10/1
- https://www.openwall.com/lists/oss-security/2023/03/14/2
- http://www.openwall.com/lists/oss-security/2023/03/17/1