#VU73856 Input validation error in Bubblewrap - CVE-2017-5226


Vulnerability identifier: #VU73856

Vulnerability risk: Medium

CVSSv4.0: 5.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2017-5226

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Bubblewrap
Server applications / Other server solutions

Vendor: Project Atomic

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input. The non-privileged session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the sandbox.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Bubblewrap: 0.1.0 - 0.1.4

External links
https://github.com/projectatomic/bubblewrap/issues/142
https://github.com/projectatomic/bubblewrap/commit/d7fc532c42f0e9bf427923bab85433282b3e5117
https://bugzilla.redhat.com/show_bug.cgi?id=1411811
https://www.securityfocus.com/bid/97260
https://www.openwall.com/lists/oss-security/2020/07/10/1
https://www.openwall.com/lists/oss-security/2023/03/14/2
https://www.openwall.com/lists/oss-security/2023/03/17/1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Anolis OS update for flatpak
openEuler 22.03 LTS SP2 update for flatpak
openEuler 22.03 LTS SP1 update for flatpak
openEuler 22.03 LTS update for flatpak
openEuler 22.03 LTS SP3 update for flatpak
openEuler update for flatpak
Red Hat Enterprise Linux 8 update for flatpak
Red Hat Enterprise Linux 7 update for flatpak
Multiple vulnerabilities in flatpak
Security restrictions bypass in Bubblewrap