34
submitted 3 months ago* (last edited 3 months ago) by possiblylinux127@lemmy.zip to c/linux@lemmy.ml

CVE-2017-5226 is a issue with bubblewrap that allows a program running in a sandbox to excape and get the same privileges as a the parent process. I recently discovered this by mistake and it is fairly concerning to me. ~~I believe it applies to Flatpak as Flatpak uses bubblewrap under the hood.~~

~~Many people like to boast about how secure and private flatpak and some even run untrusted software in it. However, the reality is that there hasn't been a lot of testing and the fact that this CVE still exists but isn't well known is concerning.~~

The reason it wasn't patched is that it is really hard to properly fix. The work around is to call bubblewrap with the --new-session flag as this effectively prevents the excape. However, this breaks interactive programs such as htop. Also the bubblewrap team believes this is a issue that should be solved downstream as this CVE is technically not a CVE in the traditional sense.

I think it is still better to run flatpak over non flatpak but it is something to be aware of

Edit:

It doesn't apply to flatpak as it is patched in 1.3.1and higher https://github.com/flatpak/flatpak/security/advisories/GHSA-7gfv-rvfx-h87x

Basically this is a communication and people problem not a technical one

Edit2:

This isn't exploitable on modern systems with 6.1 or newer with the way most distros compile the kernel

top 13 comments
sorted by: hot top controversial new old
[-] Max_P@lemmy.max-p.me 11 points 3 months ago

It's definitely not perfect, but this also wouldn't affect GUI apps because there's no shell to send inputs into to run other commands. There's also more container escapes than just that.

But it's an added layer of security regardless, especially if you're not directly running software designed to escape the sandbox. A drive by exploit in a browser for example, is less likely to successfully escape because the stars needs to align that you have both a vulnerable browser and a vulnerable kernel at the same time.

The average credential stealer or NPM malware is likely to be contained and not even realize it's in a sandbox. You have to get malware and said malware is smart enough to exploit an unpatched CVE in your sandbox.

But no it's not perfect, the only way to safely run malware is on a separate physical machine with no access to your local network, and ideally with no wireless technology at all (to avoid WiFi/Bluetooth exploits). Even VMs can be escaped, there's a few CVEs for that too, and of course the processor bugs.

Security comes in layers, unless a layer is basically useless, it counts.

[-] possiblylinux127@lemmy.zip 3 points 3 months ago

The term you are looking for is security in depth.

I just noticed this when researching bubblewrap

[-] Bero@lemmy.world 6 points 3 months ago

Isn't that irrelevant since tiocsti is disabled on modern kernels?

[-] possiblylinux127@lemmy.zip 1 points 3 months ago
[-] Bero@lemmy.world 5 points 3 months ago

Well the exploit in the CVE needs the kernel function.
And it's disabled as default since 6.2.

[-] refalo@programming.dev 3 points 3 months ago* (last edited 3 months ago)

my ubuntu 22 AWS VM only got 6.2 in september, and I haven't rebooted yet so it's still on 5.15. probably tons of desktops and servers are still using < 6.2

[-] Strit@lemmy.linuxuserspace.show 3 points 3 months ago

Which is why they said "modern" kernels. LTS systems are usually not going for modern. :)

[-] refalo@programming.dev 5 points 3 months ago

we can disagree on the definition of modern.

[-] Strit@lemmy.linuxuserspace.show 1 points 3 months ago

That's true. It varies from person to person. I, for example, am an Arch user, so modern for me is only around a year or so. Ubuntu 22.04 is old in my eyes, mostly because a newer LTS was released after it.

You might define Ubuntu 22.04 as new, because it's still fully supported.

It's just a question of how you define modern/recent.

[-] lord_ryvan@ttrpg.network 3 points 3 months ago

Well, “modern” is a relative term, so that might not have been a good pick...

[-] Technus@lemmy.zip 0 points 3 months ago

My understanding is that Flatpak was never designed to be a secure environment. It's all about convenience.

Running software you know you can't trust is idiotic no matter how well you sandbox it.

[-] possiblylinux127@lemmy.zip 4 points 3 months ago

That is true and is even mentioned by bubblewrap

[-] bsergay@discuss.online 0 points 3 months ago

Running software you know you can’t trust is idiotic no matter how well you sandbox it.

Qubes OS disagrees.

this post was submitted on 15 Jul 2024
34 points (94.7% liked)

Linux

47940 readers
1212 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS