CVE-2019-11460: Input Validation
First published: Mon Apr 22 2019(Updated: )
An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3.30 prior to 3.30.2.2, and 3.32 prior to 3.32.1.1. A compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl to push characters into the input buffer of the thumbnailer's controlling terminal, allowing an attacker to escape the sandbox if the thumbnailer has a controlling terminal. This is due to improper filtering of the TIOCSTI ioctl on 64-bit systems, similar to CVE-2019-10063.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ubuntu/gnome-desktop3 | <3.28.2-0ubuntu1.3 | 3.28.2-0ubuntu1.3 |
| ubuntu/gnome-desktop3 | <3.30.1-1ubuntu1.1 | 3.30.1-1ubuntu1.1 |
| ubuntu/gnome-desktop3 | <3.32.1-1ubuntu1.1 | 3.32.1-1ubuntu1.1 |
| debian/gnome-desktop3 | 3.38.5-3 | |
| gir1.2-gnomedesktop-4.0 | >=3.30.0<3.30.2.2 | |
| gir1.2-gnomedesktop-4.0 | >=3.32.0<3.32.1.1 | |
| gir1.2-gnomedesktop-4.0 | =3.26.0 | |
| gir1.2-gnomedesktop-4.0 | =3.28.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00088.html
- https://gitlab.gnome.org/GNOME/gnome-desktop/issues/112
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V5V6EIUHYR7SNKCRIGYCD3UWNEGFNT2F/
- https://security.gentoo.org/glsa/201908-28
- https://usn.ubuntu.com/3994-1/
- https://launchpad.net/bugs/cve/CVE-2019-11460
- https://security-tracker.debian.org/tracker/CVE-2019-11460
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V5V6EIUHYR7SNKCRIGYCD3UWNEGFNT2F/
- https://ubuntu.com/security/notices/USN-3994-1
- https://www.cve.org/CVERecord?id=CVE-2019-11460
- https://nvd.nist.gov/vuln/detail/CVE-2019-11460
- https://gitlab.gnome.org/GNOME/gnome-desktop/commit/02198486eb2d27928db86a685383ab4a0ff9b742
- https://gitlab.gnome.org/GNOME/gnome-desktop/commit/83949ed5800ec99953f5ee8d2bf8b90a69daa850
- https://gitlab.gnome.org/GNOME/gnome-desktop/commit/a5475e97c30682c0867bd99b78e7fe600129871a
- https://ubuntu.com/security/CVE-2019-11460
Frequently Asked Questions
What is the severity of CVE-2019-11460?
CVE-2019-11460 has been classified with a moderate severity level due to its potential to allow a compromised thumbnailer to escape the bubblewrap sandbox.
How do I fix CVE-2019-11460?
To fix CVE-2019-11460, upgrade GNOME gnome-desktop to version 3.30.2.2 or later, or 3.32.1.1 or later.
Which versions of GNOME gnome-desktop are affected by CVE-2019-11460?
CVE-2019-11460 affects GNOME gnome-desktop versions 3.26, 3.28, and 3.30 prior to 3.30.2.2, and 3.32 prior to 3.32.1.1.
Does CVE-2019-11460 affect Ubuntu users?
Yes, Ubuntu users should be aware of CVE-2019-11460 and update their GNOME gnome-desktop package to the patched versions available.
Are there any workarounds for CVE-2019-11460 if I cannot upgrade?
There are no known workarounds for CVE-2019-11460; the recommended mitigation is to apply the necessary updates.
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/weakness
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- collector/usn-cve
- source/Ubuntu
- agent/software-canonical-lookup
- agent/remedy
- agent/references
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/author
- package-manager/ubuntu
- package-manager/debian
- vendor/gnome
- canonical/gir1.2-gnomedesktop-4.0
- version/gir1.2-gnomedesktop-4.0/3.30.0
- version/gir1.2-gnomedesktop-4.0/3.32.0
- version/gir1.2-gnomedesktop-4.0/3.26.0
- version/gir1.2-gnomedesktop-4.0/3.28.0